b'       November 15, 2006\n\n\n\n\n    Information Technology\n    Management\n    Defense Information Systems Agency\n    Controls of the Center for Computing\n    Services Placed in Operation and\n    Tests of Operating Effectiveness for\n    the Period December 1, 2005,\n    through July 31, 2006\n    (D-2007-022)\n\n\n\n\n                 Department of Defense\n                Office of Inspector General\n     Quality             Integrity        Accountability\nF\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n(703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Office of the Deputy\nInspector General for Auditing at (703) 604-8940 (DSN 664-8940) or fax (703)\n604-8932. Ideas and requests can also be mailed to:\n\n                     ODIG-AUD (ATTN: Audit Suggestions)\n                     Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c\x0c\x0cTable of Contents\n\nForeword                                                             i\n\nSection I: Independent Service Auditor\xe2\x80\x99s Report                      1\n\nSection II: Information Provided by DISA                             7\n\n        Overview of Operations                                       9\n        Overview of the Control Environment                         14\n        Information and Communication                               23\n        Control Objective and Related Control Activities            24\n        User Control Consideration                                  24\n\nSection III: Control Objectives, Control Activities, and Tests of\n             Operating Effectiveness                                27\n\n        Security Program                                            29\n        Risk Assessments                                            30\n        Security Plans                                              31\n        Security Management                                         31\n        Personnel                                                   32\n        Resource Classification                                     36\n        Account Management                                          39\n        Physical Security                                           41\n        Logical Access Controls                                     43\n        Networks and Telecommunications                             46\n        Incident Response                                           48\n        Access Monitoring                                           49\n        Change Control                                              51\n        Service Continuity                                          54\n\nSection IV: Supplemental Information Provided by DISA               61\n\nScope                                                               65\n\nAcronyms and Abbreviations                                          67\n\nReport Distribution                                                 69\n\x0c\x0c                                      FOREWORD\n\nThis report is intended for the use of Defense Information Systems Agency (DISA)\nmanagement, its user organizations, and the independent auditors of its user\norganizations.\n\nThe DoD Office of Inspector General is implementing a long-range strategy to conduct\naudits of DoD financial statements. The Chief Financial Officers Act of 1990, as\namended, mandates that agencies prepare and conduct audits of financial statements. The\nreliability of information processed at the DISA sites directly impacts the ability of DoD\nto produce reliable, and ultimately auditable, financial statements, which is key to\nachieving the goals of the Chief Financial Officers Act.\n\nThis report focuses on the DISA Center for Computing Services (CS). CS provides\ncomputer processing for the entire range of combat support functions; including\ntransportation, logistics, maintenance, munitions, engineering, acquisition, finance,\nmedicine, and military personnel readiness. CS offers computing services on both CS-\nand customer-owned platforms including computer operations, data storage, systems\nadministration, security management, capacity management, system engineering, web\nand portal hosting, architectural development, and performance monitoring.\n\nThis examination assessed controls defined by DISA over the CS environment. The\nreport provides an opinion on the fairness of presentation by DISA of its description of\ncontrols, the suitability of the design of controls, and the operating effectiveness of key\ncontrols that are relevant to audits of a user organization\xe2\x80\x99s financial statements. As a\nresult, this examination may preclude the need for additional audits of general controls\nsuch as those that were previously performed by user organizations to plan or conduct\nfinancial statement and performance audits. This examination will also provide a\nseparate audit report with recommendations to management for correction of identified\ninternal control deficiencies.\n\nEffective internal control is a critical and required element necessary to achieve reliable\ninformation for management reporting and decision-making. The concept of adequate\ninternal control is the fundamental objective of this American Institute of Certified Public\nAccountants Statement on Auditing Standards No. 70 Report. Internal control is a\nprocess designed by management to provide reasonable assurance that the activity\nachieves its objectives related to the reliability of financial reporting, the effectiveness of\noperations, and compliance with applicable significant laws and regulations. DISA has\nimplemented internal control standards for the CS environment that require strict\ncompliance with DoD and DISA policies. The level of compliance by DISA with\nspecific aspects of these regulations has a direct impact on the accompanying description\nof internal controls and related control test results.\n\n\n\n\n                                               i\n\x0c\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report\n\n\n\n\n                       1\n\x0c\x0c\x0cIn our opinion, the accompanying description of the aforementioned controls presents\nfairly, in all material respects, the relevant aspects of controls that had been placed in\noperation as of July 31, 2006. Also, in our opinion, except for the deficiencies in the\ndesign of the controls and their effect on the related control objectives described in the\npreceding paragraphs, the controls, as described, are suitably designed to provide\nreasonable assurance that the specified control objectives would be achieved if the\ndescribed controls were complied with satisfactorily and user organizations applied the\ncontrols contemplated in the design of the CS controls.\n\nIn addition to the procedures we considered necessary to render our opinion as expressed\nin the previous paragraph, we applied tests to specific controls, listed in our description\nof the tests of operating effectiveness, to obtain evidence about their effectiveness in\nmeeting the related control objectives, described in Section III of this report, during the\nperiod from December 1, 2005, to July 31, 2006. The specific controls and the nature,\ntiming, extent, and results of the tests are listed in our description of the tests of operating\neffectiveness. This information has been provided to user organizations of CS and to\ntheir auditors to be taken into consideration, along with information about the internal\ncontrol at user organizations, when making assessments of control risk for user\norganizations.\n\nAs discussed in the accompanying description of controls and in our description of the\ntests of operating effectiveness, CS has controls in place to document reportable\ncomputer operations incidents in accordance with DISA CS Instruction 360-225-1,\n\xe2\x80\x9dEvent Reporting,\xe2\x80\x9d December 7, 2004. Our tests of operating effectiveness, however,\nindicated that not all such incidents are being documented in accordance with the\nInstruction. This resulted in the non-achievement of Control Objective 11, \xe2\x80\x9cControls\nprovide reasonable assurance that an effective incident response capability has been\nimplemented.\xe2\x80\x9d\n\nIn our opinion, except for the deficiency in operating effectiveness and the non-\nachievement of the related control objective noted in the previous paragraph, the controls\nthat were tested, as presented in our description of the tests of operating effectiveness,\nwere operating with sufficient effectiveness to provide reasonable, but not absolute,\nassurance that the control objectives specified in our description of those tests were\nachieved during the period from December 1, 2005, to July 31, 2006.\n\nThe relative effectiveness and significance of specific controls over CS and their effect\non assessments of control risk at user organizations are dependent upon their interaction\nwith controls and other factors present at individual user organizations. We have\nperformed no procedures to evaluate the effectiveness of the controls at individual user\norganizations.\n\nThe description of the controls over CS is as of July 31, 2006, and information about tests\nof the operating effectiveness of specific controls covers the period from December 1,\n2005, to July 31, 2006. Any projection of such information to the future is subject to the\nrisk that, because of change, the description may no longer portray the controls in\nexistence. The potential effectiveness of specific controls at the service organization is\nsubject to inherent limitations and, accordingly, errors or fraud may occur and not be\ndetected. Furthermore, the projection of any conclusions, based on our findings, to future\nperiods is subject to the risk that changes made to the system or controls, or the failure to\nmake needed changes to the system or controls, may alter the validity of such\nconclusions.\n\n\n\n                                               4\n\x0c\x0c\x0cSection II: Information Provided by DISA\n\n\n\n\n                   7\n\x0c\x0cOverview of Operations\nDefense Information Systems Agency\n\nThe Defense Information Systems Agency (DISA) is a combat support agency\nresponsible for planning, engineering, acquiring, fielding, and supporting global net-\ncentric solutions to serve the needs of the President, Vice President, the Secretary of\nDefense, and other DoD Components, under all conditions of peace and war. DISA is\nthe provider of global net-centric 1 solutions for the nation\xe2\x80\x99s war fighters and all those\nwho support them in the defense of the Nation. The core services are Acquisition, Center\nfor Computing Services (CS), Enterprise Services, Network Operations, Network\nServices, Net-Centric Enterprise Services, and Global Information Grid (GIG)-\nBandwidth Expansion. Chart 1 provides the organizational structure of DISA.\n\nChart 1. Defense Information Systems Agency\n\n                                                                                   Senior\n                                                          Director                Enlisted\n                                                                                  Advisor\n                                Chief of                                                                     Chief\n                                 Staff                                                                     Technology\n                                                                                                             Officer\n\n             Congressional\n                Affairs         Protocol\n                                                       Vice Director            Component                     NCES\n                                                                                Acquisition                  Program\n                                                                                 Executive                    Office\n           Inspector General\n\n\n\n                                                                                  GIG-BE\n            EEO & Cultural                                                        Program\n              Diversity                                                            Office\n\n                                                                                                        Chief Financial\n                                                                                                     Executive/Comptroller\n            General Counsel\n                                   White House                            White House\n                                     Situation                           Communication\n                                                                                                     Manpower, Personnel,\n                                   Support Staff                            Agency\n                                                                                                    and Security Directorate\n            NSA Liaison to\n               DISA\n                                                                                                      Strategic Planning and\n                                     GIG                                                              Information Directorate\n                                  Enterprise            GIG Combat              GIG\n               Small &\n                                   Services               Support            Operations\n            Disadvantaged\n                                 Engineering            Directorate          Directorate\n               Business\n              Utilization        Directorate                                                        Procurement & Logistics\n                                                                                                       Directorate/DITCO\n\n\n               Defense                                  Center for             Field\n            Spectrum Office                             Computing             Security\n                                                         Services            Operations\n                                                                              Division\n\n              Director for\n                Testing                            NCES - Net-Centric Enterprise Services\n                                                   GIG - Global Information Grid\n                                                   BE - Bandwidth Expansion\n                                                   EEO - Equal Employment Opportunity\n            Reserve Forces                         NSA - National Security Agency\n                                                   DITCO - Defense Information Technology Contracting Organization\n\n\n\n\n1\n    A continuously evolving, complex community of people, devices, information and services\n    interconnected by a communications network to achieve optimal benefit of resources and better\n    synchronization of events.\n\n\n\n                                                                     9\n\x0cThis report focuses on the controls over CS, which is under the GIG Combat Support\nDirectorate. This report addresses controls that are owned by other DISA organizations\nlike the CIO office and FSO, under the GIG Operations Directorate, as they relate to CS\noperations and general controls over the Defense Enterprise Computing Centers\n(DECCs).\n\nCenter for Computing Services\n\nThe CS provides computer processing for the entire gamut of combat support functions,\nincluding transportation, logistics, maintenance, munitions, engineering, acquisition,\nfinance, medicine, and military personnel readiness. With more than 800,000 users, CS\noperates over 1,400 applications in 18 geographically separate facilities using more than\n40 mainframes and 3,000 servers. The supported applications: 1) provide command and\ncontrol of war fighting forces, 2) facilitate mobility of the war fighters through\nmaintenance of the airlifted and tanker fleets, 3) provide war fighter sustainment through\nresupply and reorder, and 4) manage the medical environment and patient care.\n\nCS features diverse locations, a Defense-in-depth philosophy, and dual high-capacity\nDefense Information System Network connectivity. CS also uses automated systems\nmanagement to control computing resources and realize economies of scale. CS has\nadopted assured computing philosophies and implemented initiatives in the Unisys and\nIBM mainframe environments to ensure that information and mission-critical\napplications are continuously available to customers. Such initiatives include facility\nupgrades, improved software and equipment availability, diverse and redundant\ncommunications, and measures to remotely replicate data. Assured computing, coupled\nwith the ability to rapidly increase processing and storage capacity through utility\ncontracts, enables DISA to provide the availability and surge capabilities that customers\nrequire.\n\nCS offers computing services on both DISA- and customer-owned platforms. Computing\nservices include computer operations, data storage, systems administration, security\nmanagement, capacity management, system engineering, web and portal hosting,\narchitectural development, and performance monitoring. Computing services are\nprovided by a highly skilled workforce and performed in state-of-the-art computing\nfacilities strategically located throughout the continental United States; Stuttgart,\nGermany; and Pearl Harbor, Hawaii. DISA facilities are operational 24 hours a day,\n7 days a week, 365 days a year, and support both unclassified and classified computing\nenvironments. Services are available to the Services, Defense Agencies, and Combatant\nCommanders. Chart 2 provides the organizational structure of CS.\n\nCS headquarters is located in Falls Church, Virginia. There are other headquarters\nelements located in Chambersburg, Pennsylvania; Denver, Colorado; Dayton, Ohio; and\nPensacola, Florida. CS has a Director, Deputy Director, Chief of Staff, and two Special\nAdvisors (one business and one technical), and the following five Divisions.\n\nBusiness Management Center. The Business Management Center (BMC) provides\nbudgeting, resource management, manpower, personnel, training, business proposals, and\nservice-level agreements (SLA). There are three primary BMC elements: CS\nHeadquarters in Falls Church, Virginia; the Blue Ridge Center located in Chambersburg,\nPennsylvania; and the Rocky Mountain Center located in Denver, Colorado.\n\nPrograms and Implementation Division. The Programs and Implementation Division\nmanages and directs assigned programs for CS. Programs include the migration of\nlegacy systems to standard systems, development of standard business practices, and\n\n                                            10\n\x0cdefinition of operational acquisition requirements. The Division Chief sets policy and\nprocedures for CS project management and has subordinate branches for Implementation\nSupport, Mainframe, Mid-Tier, and Communications. This division also has liaison\npersonnel located at each of the Systems Management Centers (SMCs).\n\nChart 2. Center for Computing Services\n\n\n                                  Enterprise                 Director\n                                 Economics &                                                  Chief of Staff\n                                  Acquisition                                              Executive Secretary\n                                                         Deputy Director\n                                                                                          Management Assistant\n                                                                                          Administrative Assistant\n\n\n\n\n            Business               Programs &            Operations                                              Engineering &\n           Management            Implementation           Division                   Logistics Division           Architecture\n             Center                  Division                                                                       Division\n\n\n\n\n                                            DECC-PE                                    DECC -SMC\n                                             Denver                                   Mechanicsburg\n\n\n                   DECC-PE\n                  Jacksonville                                                       DECC-SMC/CCC\n                                            DECC-PE                                   Oklahoma City\n                                          Chambersburg\n                   DECC-PE\n                  Rock Island                                                        DECC-SMC/CCC\n                                                                                       Montgomery\n                                           DECC-PE\n                                          Warner Robin\n                                                                                       DECC-SMC\n                   DECC-PE                                                               Ogden\n                    Norfolk\n                                            DECC-PE\n                                            San Diego                                     DECC\n                   DECC-PE                                                                Europe\n                    Dayton\n\n\n                                            DECC-PE                                       DECC\n                                            Huntsville                                    Pacific\n\n\n                  DECC-ISC\n                  San Antonio                                           DECC - Defense Enterprise Computing Center\n                                            DECC-ISC                    SMC - Systems Management Center\n                                            St. Louis                   CCC - Communications Control Center\n                                                                        PE - Processing Element\n                   DECC-ISC                                             ISC - Infrastructure Services Center\n                   Columbus                                             _______ Direct Control\n                                                                        __ __ __ Operational Control\n\n\n\n\nEngineering and Architecture Division. The Engineering and Architecture Division\nconceives and develops alternative architectural strategies for adding new computer and\ntelecommunications technologies into systems to increase system security, survivability,\ninteroperability, endurance, and sustainability. This division directs and performs\ncomplex system engineering trade-off analyses for technology and facilities. The\nEngineering and Architecture Division has elements located in Falls Church, Virginia,\nand Denver, Colorado.\n\nLogistics Division. The Logistics Division advises the Director of CS on all logistics,\nacquisition, and facilities management issues and provides command direction and\nguidance to execute integrated logistics support for assigned activities and systems. This\n\n                                                           11\n\x0cdivision manages logistics support for assigned operational elements of the Defense\nInformation Infrastructure for the Directors of DISA and CS. The Logistics Division\nprovides matrixed, cost-effective, integrated life cycle logistics and acquisition support\nservices to CS. This division has offices in Chambersburg, Pennsylvania; Denver,\nColorado; and Dayton, Ohio. The Logistics Division also has a liaison officer in each of\nthe four SMCs.\n\nOperations Division. The Operations Division advises the Director of CS on all\nprincipal operations and has the overall responsibility for issuing operations and security\nstandards, policies, plans, standard business processes, and standard operating\nprocedures. This division:\n\n       \xe2\x80\xa2   tasks other CS elements as required to achieve the CS mission;\n\n       \xe2\x80\xa2   manages and assesses operations and security of all assigned DISA\n           information processing, communications, and network systems;\n\n       \xe2\x80\xa2   provides appropriate assets in response to contingencies and exercises;\n\n       \xe2\x80\xa2   oversees the overall operational performance and effectiveness of the Defense\n           Information Infrastructure efforts implemented within CS as well as assigned\n           systems;\n\n       \xe2\x80\xa2   develops and maintains CS programs for configuration management,\n           executive software, capacity management, incoming projects, and\n           contingency operations; and\n\n       \xe2\x80\xa2   manages the Network Operations for CS and integrates it into the DISA\n           Network Operations program.\n\nThe Operations Division is organized in three layers: headquarters-level policy and plans,\nheadquarters-level centralized operations, and direct operations. The direct operations\nlayers include the operating sites and the Communications Control Centers (CCCs).\n\n        Operating Sites. The operating sites are called DECCs. The DECCs located\noutside the continental United States are DECC Pacific in Pearl Harbor, Hawaii and\nDECC Europe in Stuttgart, Germany. They provide processing services for DoD\nelements within their theater of operations. The DECCs in the continental United States\nare divided into the following functional designations.\n\n       \xe2\x80\xa2   Systems Management Centers (SMCs). The primary responsibility of each\n           SMC is systems management and customer support functions for the\n           mainframe and server computing environments. The SMCs are located in\n           Mechanicsburg, Pennsylvania; Montgomery, Alabama; Ogden, Utah; and\n           Oklahoma City; Oklahoma.\n\n       \xe2\x80\xa2   Infrastructure Services Centers (ISCs). ISC personnel perform system\n           management for specialized fielding efforts from CS customers. The ISCs are\n           in Columbus, Ohio; St. Louis, Missouri; and San Antonio, Texas.\n\n\n\n\n                                            12\n\x0c           \xe2\x80\xa2   Processing Elements (PEs). Facility management, hardware support,\n               physical security, touch labor 2 for communication devices, and touch labor\n               for media management are the primary responsibilities for each PE. The PEs\n               are located in Chambersburg, Pennsylvania; Dayton, Ohio; Denver, Colorado;\n               Huntsville, Alabama; Jacksonville, Florida; Norfolk, Virginia; Rock Island,\n               Illinois; San Diego, California; and Warner Robins, Georgia.\n\n       Communications Control Centers. The CCCs manage all classified and\nunclassified network devices. The CCCs are at DECCs Montgomery and Oklahoma\nCity.\n\nField Security Operations\n\nThe mission of Field Security Operations (FSO) is to provide information systems,\nnetwork security products, and direct funding and reimbursable services throughout DoD,\nincluding the Combatant Commands, the Services, and Defense agencies. The FSO\nsupports the National Command Authority, Combatant Commanders, Joint Task Force\nComputer Network Operations, the Services, and Defense agencies through Global\nNetwork Operations, Computer Emergency Response Capabilities, and Information\nSystem Security Services. The FSO provides such support by directing, managing, and\nprotecting critical elements of the GIG. In this capacity, the FSO is the Certifying\nAuthority for the DISA Designated Approving Authority (DAA). The FSO:\n\n           \xe2\x80\xa2   develops, implements, and maintains security guidance and processes;\n\n           \xe2\x80\xa2   conducts full scope security reviews;\n\n           \xe2\x80\xa2   provides security training, security training products, and system\n               administrator (SA) certification; and\n\n           \xe2\x80\xa2   implements security architecture and information assurance (IA) tools.\n\nChief Information Officer\n\nThe Chief Information Officer (CIO) provides staff support in accomplishing information\nresources management duties mandated by the Clinger-Cohen Act. The CIO develops\ninformation resources management and information technology (IT) policies, performs\nIT management strategic planning, and incorporates and disseminates architecture and\nstandards guidance, as well as IT investment criteria. The CIO advises on acquisitions\nfor DISA IT and coordinates with Office of the Secretary of Defense on information\nresources management, IT, and IT acquisition matters. The CIO is the DAA for DISA-\nowned and -operated internal IT enclaves and networks. The CIO manages the agency-\nwide programs for Privacy Act and records management, and manages implementation of\nthe DISA Electronic Business and Electronic Commerce.\n\nManpower, Personnel, and Security\n\nThe Manpower, Personnel, and Security (MPS) Directorate provides plans, programs,\nand oversight worldwide in the mission areas of civilian personnel, military personnel,\nhuman resource development, organization and manpower program administration,\n\n2\n    Touch labor refers to personnel providing physical on-site work needed when systems are remotely\n    managed.\n\n\n\n                                                     13\n\x0cpayroll, travel, transportation, mail management, visual information, security, and\ncommand information. In addition to worldwide responsibilities, MPS is responsible for\nproviding direct service support to all DISA activities in the National Capital Region.\n\nThe Civilian Personnel Division, within MPS, advises and assists the Director of DISA in\nformulating, executing, and evaluating civilian personnel plans and programs; provides\ntechnical guidance and assistance to the DISA managers and employees; and oversees\nDISA civilian personnel management activities worldwide.\n\nThe DISA Security Division, within MPS, provides security policy, guidance, and\noversight (except for Information Systems Security) to DISA activities worldwide, using\na multi-disciplined and risk management approach. This division also provides\ntraditional security assistance in information, personnel, physical, and special security\nreviews and assessments in support of the DISA Security Certification and Accreditation\nprocess.\n\nProcurement Directorate\n\nThe Procurement Directorate has four contracting organizations. One of the four is the\nDefense Information Technology Contracting Organization located at Scott Air Force\nBase, Illinois. It supports CS and is responsible for the procurement of commercial\ninformation technology services and equipment required by DoD agencies and other U.S.\nGovernment agencies.\n\n\nOverview of the Control Environment\nIA controls are layered and are applied through procedures and physical applications.\nControls are employed to protect resources from theft, loss, damage, inadvertent\ndisclosure, compromise, and deliberate attempts to gain access by forced or surreptitious\nmeans. Protection is accomplished through the employment of countermeasures to deter,\ndelay, detect, assess, and respond to unauthorized activity.\n\nCS has the responsibility of providing core services and meeting customer expectations\nthrough professional and consistent operations services and standard implementation of\nDoD regulations and policies. CS is responsible for continual refinement and analysis of\noperations performance metrics and practices to identify and implement opportunities for\nimprovement in executing core operations services and maintaining the integrity of the\nsecurity posture of the operations environment.\n\nSecurity Management\n\nSecurity Review Program Guidance. In general, security review programs focus on\nmanagement actions that establish the DAA and the processes that support the\naccreditation of an automated information system. DoD implemented the Office of\nManagement and Budget (OMB) Circular A-130, \xe2\x80\x9cManagement of Federal Information\nResources,\xe2\x80\x9d requirements for a security program through DoD Instruction 5200.40, \xe2\x80\x9cDoD\nInformation Technology Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\ndated December 30, 1997, and other DoD policies. DISA Instruction 630-230-19,\n\xe2\x80\x9cAutomated Data Processing Information Systems Security Program,\xe2\x80\x9d dated July 9,\n1996, prescribes policy and assigns responsibilities for implementing, managing, and\nmaintaining the DISA Information Systems Security Program and implements the DoD\n\n\n                                           14\n\x0cprograms, including DITSCAP and designation of the DAA. The DITSCAP and\nresultant Certification and Accreditation program are major components of the DISA\nsecurity review program.\n\nSecurity Control Program at the DECCs. The DISA Computing Services Security\nHandbook (the Security Handbook), the Information Assurance Vulnerability Alert\nHandbook, and the STIGs cover the Federal (OMB, DoD, and DISA) requirement for the\nprimary operational-level guidance for implementation of automated information system\nsecurity controls. The DECC security management organization structure and general\nbusiness practices support the security program, including review of security controls.\n\nSecurity Roles and Responsibility\n\nDISA DAA/CIO. The DISA DAA/CIO retains the overall responsibility for the\nCertification and Accreditation as it pertains to the DITSCAP process of the CS sites.\n\nCS Information Assurance Manager (IAM). The CS IAM provides guidance and\nadvice to CS on IA, communications, and emanation security. This position is located\nwithin the FSO. However, the CS IAM reports to the Chief of Operations on security\nmatters. When there is a disagreement relating to security, the CS IAM can go directly to\nthe Deputy Director or Director of CS.\n\nCS Security Manager (SM). The CS SM provides guidance and advice to the Director\nof CS, his staff, and personnel on physical, industrial, personnel, and information\nsecurity, as well as security management. This position is located within the FSO, but\nreports to the Chief of Operations on security matters. When there is a disagreement\nrelating to security, the CS SM can go directly to the Deputy Director or Director of CS.\n\nSite IAM. The site IAM develops and maintains an organization or DoD information\nsystem-level IA program that identifies IA architecture, requirements, objectives, and\npolicies; personnel; and processes and procedures. The site IAM reports to the Deputy\nDirector or Director of the site.\n\nSite Information Assurance Officer (IAO). The site IAO assists the site IAM in\nmeeting the duties and responsibilities discussed previously. The site IAO reports to the\nsite IAM.\n\nRisk Assessments\n\nCS implemented a risk assessment process to identify and manage risks that could affect\ncustomer organizations. This process requires a formal risk assessment, which is part of\nthe System Security Authorization Agreement. The process also includes an external and\ninternal compliance validation and procedures to maintain an acceptable level of risk.\n\nFormal Risk Assessment. The FSO prepares the formal risk assessment for each CS\nsite. The threat is determined by validating countermeasures that have been implemented\nto determine the residual risk. Various tools are used to validate the effectiveness of the\nimplemented countermeasures, including the Security Readiness Review (SRR) and the\nvulnerability scan used to determine the effectiveness of the network, systems, physical,\npersonnel, information, and industrial security procedural countermeasures. The SRR\nand vulnerability scans can be conducted by the FSO or as self-assessments performed by\nsite personnel. Environmental and facility reviews conducted by CS Facility Engineers\nare used to determine the effectiveness of facility and environmental countermeasures.\n\n\n                                            15\n\x0cVarious Federal Emergency Management Agency web sites are used to determine\nweather, climatic, and natural threats.\n\nThe IAMs for DECCs are responsible for reviewing and identifying pen and pencil\nchanges to risk assessment documents on an annual basis. If there are no changes noted,\nthe formal risk assessment document is not re-dated or re-signed. The CS IAM is\nresponsible for reviewing and making changes to the DECC PEs risk assessment\ndocuments as they occur. The formal risk assessment is a required appendix to the\nSystem Security Authorization Agreement under the DITSCAP by the DISA DAA (the\nDISA CIO). A complete formal review and documented risk assessment is conducted\nonly every 3 years.\n\nMission Assurance Category. The mission assurance category (MAC) reflects the\nimportance of information relative to the achievement of DoD goals and objectives,\nparticularly the war fighter combat mission. MAC levels are the basis for determining\navailability and integrity control requirements. DoD has three defined MAC levels.\n\n       \xe2\x80\xa2   MAC I. These systems handle information that is vital to the operational\n           readiness or mission effectiveness of deployed and contingency forces in\n           terms of both content and timeliness. The consequences of loss of integrity or\n           availability of a MAC I system are unacceptable and could include the\n           immediate and sustained loss of mission effectiveness. MAC I systems\n           require the most stringent protection measures.\n\n       \xe2\x80\xa2   MAC II. These systems handle information that is important to the support\n           of deployed and contingency forces. The consequences of loss of integrity are\n           unacceptable. Loss of availability is difficult to deal with and can only be\n           tolerated for a short time. The consequences could include delay or\n           degradation in providing important support services or commodities that may\n           seriously impact mission effectiveness or operational readiness. MAC II\n           systems require additional safeguards beyond best practices to ensure\n           assurance.\n\n       \xe2\x80\xa2   MAC III. These systems handle information that is necessary for the conduct\n           of day-to-day business, but do not materially affect support to deployed or\n           contingency forces in the short-term. The consequences of loss of integrity or\n           availability can be tolerated or overcome without significant impacts on\n           mission effectiveness or operational readiness. The consequences could\n           include the delay or degradation of services or commodities enabling routine\n           activities. MAC III systems require protective measures, techniques, or\n           procedures generally commensurate with commercial best practices.\n\nCompliance Validation\n\nThe FSO and CS use automated scripts and the IA connection approval process to\nvalidate DISA compliance. The results are maintained in the Vulnerability Management\nSystem (VMS) and Security Automated Database databases. CS categorizes the findings\nor vulnerabilities into four categories, based on severity.\n\n       \xe2\x80\xa2   Finding Category I. Any vulnerability that may result in a total loss of\n           information or that provides an unauthorized person or software immediate\n           access into a system, gains privileged access, bypasses a firewall, or results in\n           a denial of service.\n\n\n                                            16\n\x0c       \xe2\x80\xa2   Finding Category II. Any vulnerability that provides information that has a\n           high potential of giving access to an unauthorized person, or provides an\n           unauthorized person the means to circumvent security controls.\n\n       \xe2\x80\xa2   Finding Category III. Any vulnerability that provides information that could\n           lead to an unauthorized access.\n\n       \xe2\x80\xa2   Finding Category IV. Any other vulnerability that contributes to degraded\n           security.\n\nExternal Compliance Validation. The external compliance validation is conducted by\nthe FSO. Because of the number and size of the sites, a complete review of each site\ncannot be made on an annual basis. The complete review is conducted during a 3-year\ncycle to coincide with the formal accreditation cycle. The number of FSO visits is\ndependent on reviewing 33 percent of each site\xe2\x80\x99s assets on an annual basis. In\naccordance with DITSCAP, accreditation decisions are made for a maximum of a 3-year\nperiod. Annual reviews conducted by the FSO are known as Information Assurance\nReviews. The Information Assurance Review includes a review of procedures,\ndocumentation, SRRs, and a vulnerability or penetration scan. All Information\nAssurance Review results are entered into VMS and briefed to the responsible senior\nmanagement and security staff as well as the Director, CS.\n\nSystem Readiness Reviews. The SRRs are manual (the traditional SRR) or automated\nchecks (the technical SRR) and vulnerability scans.\n\n        Traditional SRR. The traditional SRR determines whether policies and\nprocedures on physical, information, personnel, industrial, communications, and\nemanations security comply with DoD regulations and DISA instructions. It also\nvalidates whether policies and procedures are correctly and adequately implemented.\n\n        Technical SRR. The technical SRR uses automated checks of network devices,\nfirewalls, intrusion detection systems, operating systems, databases, and web applications\nto verify that standard configuration settings are in accordance with applicable Security\nTechnical Implementation Guides (STIGs).\n\n        Vulnerability Scans. The Vulnerability Assessment Process uses a commercial\nautomated scanning tool, Retina Scan, that checks for known or demonstrated\nvulnerabilities. The scan is a 2-step process. The first step is external to the perimeter of\nthe enclave and determines the robustness of perimeter defenses. The second step is\ninside the perimeter of the enclave and determines the robustness of the defense of each\ndevice within the enclave. Scan results; when associated with the communications,\nserver, database, and web applications running on a device; have been adapted to feed\ninto the SRR database, which is a part of the VMS database. When findings from the\nscan cannot be associated with a specific device, it is called a Vulnerability Assessment\nProcess Report and is associated with the network of that enclave.\n\nInternal Compliance Validation. There are two internal compliance validation\nprocesses. The first validation process is an automated review process that uses scripts\ndeveloped by the FSO to test server compliance. Server operating systems managed\nlocally and remotely by SMCs Mechanicsburg, Montgomery, Ogden, and Oklahoma City\nare subject to self-assessment automated scripts that are run on a weekly basis. The\nresults are posted to the Security Automated Database, and remediation actions are\ntracked. The results of the reviews are forwarded to the appropriate SAs and their\nsupervisors.\n\n                                             17\n\x0cThe second validation process is the IA connection approval process. The IA connection\napproval process uses FSO SRR scripts and checklists for servers, databases, and web\nservices to complete self-assessments of new servers or software upgrades. The self-\nassessment results are fed into the SRR database and are forwarded to the connection\napproval authority for review and approval. To obtain approval, servers, databases, or\nweb services must have no open Category I findings on the FSO SRR scripts and\nchecklists, and at least 85 to 95 percent compliance 3 with all possible Category II and III\nfindings. The senior person at the DECC SMC and DECC ISC is the approving authority\nfor those organizations. The CS, Chief of Operations, is the approving authority for all\nDECC PEs and all CS Headquarters Divisions.\n\nVulnerability Databases. CS uses two databases to track vulnerabilities, VMS and\nSecurity Automated Database. VMS is maintained by the FSO, while the Security\nAutomated Database is maintained by System Support Office (SSO) Montgomery. The\ntwo databases do not share information.\n\n        Vulnerability Management System. VMS is a DoD and DISA vulnerability\nmanagement system. The DoD portion of the system is a database known as the\nInformation Assurance Vulnerability Management database. The Information Assurance\nVulnerability Management database is used by DoD to track acknowledgement and\ncompliance with alerts released under the Information Assurance Vulnerability\nManagement program as directed by Chairman of Joint Chiefs of Staff\nInstruction 6510-01D, \xe2\x80\x9cInformation Assurance (IA) and Computer Network Defense.\xe2\x80\x9d\nThe DISA portion of VMS has two databases: one is the SRR database and the other is\nthe Vulnerability Compliance Tracking System database.\n\n                SRR Database. The SRR database identifies SRR findings, tracks\nremediation of those findings, and has an automated waiver process for findings that\ncannot be fixed within an established timeframe. The CS IAM is responsible for\nchecking VMS to determine who reviews open SRR findings and determines what the\nplan of action is to remediate the findings. The CS IAM also reviews requests for\nwaivers to open SRR findings and renders a decision to the DISA approving authority.\n\n               Vulnerability Compliance Tracking System Database. The Vulnerability\nCompliance Tracking System database tracks DISA acknowledgement and compliance\nwith the DoD Information Assurance Vulnerability Management 4 program. The\nVulnerability Compliance Tracking System has a registry of all assets with associated\noperating systems and utility software, and identifies the owner of the asset and the\nresponsible primary and alternate SAs. As alerts are released in the Information\nAssurance Vulnerability Management program, the Vulnerability Compliance Tracking\nSystem notifies the SA and IAM of alerts by e-mail. The SA is responsible for\nacknowledging receipt of the notification and updating the status of Information\nAssurance Vulnerability Management releases in the Vulnerability Compliance Tracking\nSystem.\nThe CS IAM is responsible for checking VMS to determine who is not in compliance\nwith Information Assurance Vulnerability Management releases. The CS IAM notifies\nthe responsible site IAM or IAO of any concerns or assets that are not in compliance\nwithin 7 working days of the compliance date. The Director of CS and primary staff are\nbriefed on the status of compliance on a weekly basis. The CS IAM also reviews\n3\n    The percentage varies based on the technology.\n4\n    Includes alerts, bulletins, and advisories.\n\n\n\n                                                     18\n\x0crequests for extensions to compliance dates and recommends a concurrence or\nnonconcurrence to the approving authority, the DISA DAA. The FSO provides technical\nreviews for the CS IAM on request.\n\n        Security Automated Database. The Security Automated Database was created\nto track and remediate automated SRR self-assessment issues. The automated SRR\nprogram uses automated scripts developed by the FSO to conduct SRRs across the\nnetwork using Secure File Transfer Protocol. The FSO has SRR scripts for all Windows,\nUNIX, LINUX, Oracle Database, and Standard Query Language databases and is moving\ntoward running weekly SRRs on all servers, Oracle Databases, and Sequel Server\nDatabases by the end of 2006. Automated SRR scripts are limited in that they cannot\nperform the manual checks of the STIGs. Automated SRR scripts test only the\nconfiguration settings of the hardware and software associated with the IT. Operating\nsystem scripts are capable of checking most of the configuration settings while the\ndatabase scripts are capable of checking only approximately 35 percent of the\nconfiguration settings. The FSO and CS are working collectively on improving the SRR\nscripts and developing scripts for the other operating systems, the mainframe (IBM and\nUnisys) operating systems, and web software.\n\nThe security staff at the SMCs reviews and updates findings from the weekly automated\nSRR and monitors the remediation, especially any Category I and II findings. All\nCategory I findings are entered in the trouble ticket system, Trouble Ticketing\nManagement System, and flagged for immediate remediation. Site directors are briefed\non the results of the automated scripts on a weekly basis and the Director, CS and\nprimary CS staff are briefed on the results of the automated scripts on a monthly basis.\n\nInformation Assurance Monitoring\n\nIA monitoring occurs at the enclave perimeters as well as within systems, database, and\nweb software running within those systems. In addition to the external FSO reviews and\nthe internal CS reviews, CS networks are also subject to monitoring by the Global\nNetwork Security Center as part of the GIG monitoring and internal network monitoring.\n\nGIG Monitoring. There are network Intrusion Detection Systems (IDSs) located on the\nGIG that monitor standard security policy. The GIG network IDSs, monitored by Global\nNetwork Security Center (the Center), are known as the Joint Intrusion Detection System.\nThe Center monitors all Joint Intrusion Detection Systems on the GIG within the\ncontinental United States. Other centers are located around the world and all centers feed\ninto a DoD Global Network Center Network Defense. This concept enables the Center to\nidentify any information threat on an isolated, regional, or global basis. The Center\nnotifies any element, to include CS, of any type of potential unauthorized attack or\naccess. The Center also works with the CS CCCs and individual site IA staff to help\nidentify, isolate, investigate, and remediate potential threats.\n\nCS Enclave Perimeter Monitoring. All CS enclave perimeters have a layered defense\nthat consists of an access control list on the perimeter router, firewalls, and network IDS.\nThe security staff located in the CCCs develops the security profiles for the enclave\nperimeter router, firewall, and network IDSs and monitors their respective reports and\naudit logs for unauthorized access or activities for the entire continental United States-\nbased CS network. The security staffs at DECCs Europe and Pacific perform the same\ntasks locally for their respective enclave perimeter devices. Suspected incidents are\ninvestigated in concert with trusted agents from the customer base or data owners to\ndetermine the legitimacy of the incidents. If the suspected incident cannot be validated\nas authorized, they are reported to the Computing Services Cell within the DISA\n\n                                             19\n\x0cNetwork Operation Center and to the Center. The Center then directs all actions for this\nincident and closes it or turns it over to the appropriate investigative agency for action.\nThe Computing Service Cell reports the incident to Computing Services Issue Center\nwithin the CS Operations Division.\n\nThe objective of layered defense is to provide a deny-by-default to the perimeter of the\nenclave. Deny-by-default can be defined as allowing those addresses, ports, protocols,\naccesses and actions that are authorized, while establishing a denial of those that are not\nauthorized.\n\nEnclave Monitoring. Security staff at the DECCs review system and database audit\nrecords at least weekly for suspicious actions. They perform preliminary inquiries with\nthe customer, data owners, and others to determine the validity of suspicious actions. If\nan action cannot be validated, an unauthorized privilege is identified, or user-level action\nis identified, the action is reported to the Center and the CS Global Network Security\nLiaison Officer within the CS Operations Division.\n\nSome of these sites also monitor the system and database audit reports using a host-based\nIDS. Validated unauthorized privilege or user accesses are reported up the same chain as\nthe other incidents. All security incidents reported to the Computing Service Issue\nCenter are briefed to the Director and Chief of Operations for CS every morning,\nMonday through Friday.\n\nFSO Monitoring. The FSO conducts external vulnerability scanning twice a year for the\nNIPRNET and SIPRNET connections at all sites from Chambersburg. If the scan does\nnot penetrate or identify a weakness in the enclave perimeter, the scan is terminated. If\nthe scan does identify a weakness in the enclave perimeter, the scan continues to further\nidentify weaknesses. The results are entered into VMS and are briefed to the site director\nand senior staff.\n\nSegregation of Duties\n\nMainframes. In the mainframe environment, the IAO applies system security through\nthe access control program. For the Unisys mainframe, the access control program is a\nproduct known as SIMON. The IBM mainframe Access Control Program products are\nResource Access Control Facility, Access Control Facility 2, and Top Secret. The IAO\nalso monitors security audit records to identify security concerns.\n\nServers. The SAs implement security for server, operating systems, databases, and web\nservers and web-based applications; primarily UNIX, Windows, Solaris, and Tandem.\nThe IAO identifies each user\xe2\x80\x99s security profile, provides the SA with requirements, and\nthen validates that the profile has been implemented as prescribed. The IAO also\nmonitors security audit records to identify possible security concerns.\n\nPersonnel Controls\n\nAll civilian personnel are subject to Federal Civilian Personnel Systems. All personnel\nmust meet employment requirements and are subject to a favorable personnel security\ninvestigation. An authorization document, known as the Joint Table of Distribution\nauthorizes all government (civilian and military) positions. This document also identifies\nthe sensitivity, IT level, and security clearance requirement for each position. These\nthree elements determine the type of investigation required and the type and frequency of\nperiodic reinvestigations.\n\n\n                                             20\n\x0cAll personnel are subjected to various levels of personnel security investigation, which is\nbased on the level of privileges they have within systems. All personnel possess Secret\nclearance with IT-2 level, except for the SAs. The SAs are required to have Secret\nclearance with IT-1 level.\n\nAll personnel security is managed and monitored by the CS SM in Chambersburg, in\nconcert with site SMs. The CS SM submits all personnel security actions through the\nDISA Security Division. The DISA Security Division issues requests for additional\ninformation, intent to deny or revoke, and actual revocations of security clearances or\nfavorable investigations.\n\nEnvironmental Controls\n\nThe Facilities Engineering Branch, a CS Headquarters organization in Denver,\nestablishes facility standards for the DECCs on electrical distribution, uninterrupted\npower supply, fire detection, fire suppression, and climate control in accordance with\nnational standards.\n\nElectrical Distribution. Each site has at least two electrical power feeds either from the\ninstallation or another commercial source. There are automatic voltage controls at all\ncomputing facilities and alerts of any potential electrical problems. There is a master\npower switch located at the primary entrances in all computer facilities.\n\nUninterrupted Power Supply. Each site has an uninterrupted power supply consisting\nof constantly charged batteries in case of power disruption. The uninterrupted power\nsupply is constantly monitored and alerts staff of any potential problem. Each site is also\nequipped with generators that provide an automatic start-up power source. Backup\npower sources are tested on a periodic basis to ensure that they function properly and\nprovide sufficient electrical power to meet site operating requirements. Additional fuel is\nstored on site for sustained backup operations. The fuel is tested on an annual basis for\ncontamination.\n\nFire Detection. Most administrative areas are protected by fire detection systems that\nalarm either locally or at a responding fire department. All computing facilities are\nprotected by automatic fire detection systems that alarm at the responding fire\ndepartment.\n\nFire Suppression. All administrative areas are protected by either automatic or manual\nfire suppression systems. All computing facilities are protected by automatic fire\ndetection systems (smoke or fire detectors) that respond to heat or smoke to suppress\nfires. Fire prevention is an inherent responsibility of every CS employee and requires\nalertness and cooperation from all individuals and agencies that may be in the building.\nEach site follows the facility emergency plan for the protection of all Government\nemployees and private industry tenants.\n\nClimate Control. There are mechanical systems that provide the constant and desired\ntemperature, humidity, and air particles. The climate control system is constantly\nmonitored and alerts of any potential problems. Many of the computer facilities are\nequipped with water detection systems and a water drainage system to handle excess\nwater under the raised floor area.\n\n\n\n\n                                            21\n\x0cPhysical Security Controls\n\nAdministrative Areas. All buildings and administrative areas have limited entry points\nand all are protected by automated access card systems or by guards at the entrances. In\nsome case, both are used; guards protect the area during normal duty hours from Monday\nthrough Friday, and the automated access card system controls access during all off-duty\nhours. All personnel must wear identification badges while in the area. Visitors to all\nsites must be signed into the administrative area and obtain local badges that must be\ndisplayed while in the buildings. The issuance of an escort-required or a non-escort\nrequired visitor badge depends on the validation of visitor\xe2\x80\x99s investigation type and\nsecurity clearance.\n\nComputer Facility. All computer facilities have implemented the following physical\ncontrols:\n\n       \xe2\x80\xa2   controlled access and controlled perimeter for CS facilities located on a\n           military or General Services Administration (GSA) installation;\n\n       \xe2\x80\xa2   verification of DoD identification such as a Common Access Cards or DISA\n           badge;\n\n       \xe2\x80\xa2   enclosed perimeter by a fence that controls vehicle and pedestrian access for\n           facilities not located on a military or GSA installation;\n\n       \xe2\x80\xa2   routine patrol and random door checks performed by local military, DoD, or\n           GSA guards in accordance with the local base support agreement; and\n\n       \xe2\x80\xa2   access to the administrative areas controlled by guard, mechanical cipher, or\n           automated access control system.\n\nFacility Support Areas. Access to facility support areas is controlled either by fencing,\nautomated access control systems, or key locking devices. These areas are not\nconsidered \xe2\x80\x9cRestricted Areas.\xe2\x80\x9d Most of the facilities have closed-circuit television\ncoverage of all doors to computer facilities, buildings, and facility support areas inside\nand outside of the buildings. A local guard monitors the cameras at some sites. Where\ncameras are not monitored, access is recorded and surveillance tapes are maintained for\nat least 30 days.\n\nInformation Security Controls\n\nOnly properly cleared personnel with a need-to-know are granted access to classified\ninformation. All classified paper documents are stored in GSA-approved security\ncontainers.\n\nCombinations to approved storage areas and security containers are restricted to only\nthose who need to gain access, and a DISA Form 190A identifies who holds the\ncombinations. The combination is treated as classified information and must be located\nin another security container. All security containers and approved storage areas must\nhave a Standard Form 702 on the outside and must be annotated with the initials of the\nperson opening the containers as well as the date and time the container was opened and\nclosed. Security containers are to be inspected daily and annotated on the Standard\nForm 702 to prevent security breach.\n\n\n\n                                            22\n\x0cAll classified transmissions that egress the perimeter router are encrypted using National\nSecurity Agency Type I encryption devices and keying material. In some cases,\ntransmissions inside the enclave are not encrypted but are required to be in an appropriate\nprotected distribution system.\n\nThe Federal Information Processing Standards Publication 140-2, \xe2\x80\x9cSecurity\nRequirements for Cryptographic Modules,\xe2\x80\x9d requires that encryption be used to protect\nthe transmission of unclassified information when required by the customer in the SLA.\n\nAll computing areas that process classified information must be in an approved classified\ninformation storage area or continuously be manned by properly cleared personnel who\ncan observe every device (computing and networking) processing classified information.\n\nUnless requested by the customer, all information stored on magnetic media is not\nencrypted. National Security Agency devices are used for classified information and\nFederal Information Processing Standards Publication 140-2-compliant devices are used\nfor unclassified information. All classified and unclassified information must be\ndestroyed using approved methods of destruction in accordance with DoD\nRegulation 5200.1-R, \xe2\x80\x9cInformation Security Program.\xe2\x80\x9d\n\nIndustrial Security Controls\n\nContracts must address security requirements. The contract should identify:\n\n       \xe2\x80\xa2   the requirement for IT-level and the personnel security investigation;\n\n       \xe2\x80\xa2   the requirement for the contractor to provide visit request documentation for\n           all contractor personnel that need to visit a Government location;\n\n       \xe2\x80\xa2   the requirement to comply with all security policies and procedures at\n           Government locations;\n\n       \xe2\x80\xa2   the configuration requirement for contractor-provided equipment that will be\n           connected to Government networks and enclaves, if no government-furnished\n           equipment is provided; and\n\n       \xe2\x80\xa2   the requirement for a DD Form 254, for contracts that require access to\n           classified information, that outlines the required level of security clearance,\n           where classified information can be accessed, and any special instructions.\n\n\nInformation and Communication\nInformation Systems Overview\n\nThe concept of operations for the CS emphasizes and describes a \xe2\x80\x9ccustomer focused\xe2\x80\x9d\nenvironment, organized with SMCs, Operations Support Teams, and production\noperations environments designed to provide a problem resolution and a situational\nawareness posture over all domains of a dynamic production environment that is\noperational 24 hours a day, 7 days a week, and 365 days a year.\n\n\n\n\n                                            23\n\x0cCS customer support demands include multiple classifications of secure environments,\nmulti-vendor UNIX environments, Intel-based server environments, IBM and Unisys\nmainframe environments, multiple commercial database environments, commercial off-\nthe-shelf applications, government off-the-shelf applications, customized legacy systems,\nweb-based systems, voice-based systems including commercial telephone switch support,\nprivate branch exchange support, and multiple communications infrastructures. CS must\nhave knowledge of the products, services, and applications used by its customer base, as\nwell as information regarding the internal health of the CS IT environment to provide\nprofessional, knowledgeable, and proactive support.\n\nCommunication\n\nCS has implemented various methods of communications to ensure that all employees\nunderstand their individual roles and responsibilities. These methods include New\nEmployee Orientation, Individual Development Plan, CS Plan of the Week that\nsummarizes various significant events, and the use of e-mail messages to communicate\ntime-sensitive messages and information. The Director of CS holds a weekly staff\nmeeting with all CS Division Chiefs. All site Chiefs also hold periodic staff meetings as\nappropriate. Every employee within CS has a written position description, and every\nposition description includes details of what responsibilities are required of the\nindividual.\n\nThe CS BMC is responsible for Headquarters-level customer relations and acts as the\npoint of contact for the customer. Each operating site within CS maintains detailed\nrecords of problems reported by customer and problems or incidents noted during\nprocessing and monitor such items until they are resolved. The CS Operations Division\nNetwork Operations is responsible for the up-channel reporting of operations incidents.\nCategories of incidents have been identified as high impact, high visibility, or high\ninterest requiring detailed reporting to a defined chain of senior management. Specific\ninformation requirements have been defined for the incident reports to help ensure\ncompleteness, accuracy, and understandability. Standard trouble tickets that provide the\nbasic information must be cleansed to ensure that these informational requirements are\nmet and consolidated into the defined incident reporting format.\n\n\nControl Objectives and Related Control Activities\nCS control objectives and related controls are included in Section III, Control Objectives,\nControls Techniques, and Tests of Operating Effectiveness to eliminate the redundancy\nthat would result from listing them in this section and repeating them in Section III.\nAlthough the control objectives and related controls are included in Section III, they are\nnevertheless, an integral part of CS control descriptions.\n\n\nUser Control Considerations\nComputing Services User Controls\n\nCS and its customers share the responsibility for the controls over the users. This shared\ncontrol responsibility environment normally is delineated between the computing\nenvironment and the applications.\n\n\n                                            24\n\x0c\x0cCustomer User Controls\n\nCustomers are expected to have the following general user controls, at a minimum, built\ninto their applications:\n\n       \xe2\x80\xa2   individual user identification and\n\n       \xe2\x80\xa2   individual user password or Public Key Infrastructure authentication.\n\nThe specific user controls are outlined in the individual customer SLAs.\n\nService-Level Agreements\n\nAn SLA is a contract between a service agency and a customer agency that defines the\nparameters of the services. The SLA defines the services to be delivered, problem\nmanagement, and customer duties and responsibilities. The SLA outlines, at a minimum,\nthe responsibilities relating to system access, security controls, data disposition and\nsharing, data encryption, and data backup for both CS and the customers.\n\n\n\n\n                                            25\n\x0cSection III: Control Objectives, Control Techniques, and Tests of\n                     Operating Effectiveness\n\n\n\n\n                               27\n\x0c\x0cSecurity Program\nNo.   Control Objectives           Control Techniques                        Test of Operating Effectiveness             Results of Testing\n1     Controls provide reasonable assurance that the security program effectiveness is monitored and changes are made as\n      needed.\n\n1.1   DISA periodically assesses   The FSO conducts annual Technical         Interviewed the FSO regarding the           No relevant exceptions were noted.\n      the appropriateness of       Interchange Meetings to assess the        Technical Interchange Meeting process\n      security policies and        appropriateness of the STIGs.             used to assess the appropriateness of the\n      procedures.                                                            security policies such as the STIGs.\n\n1.2   Management monitors          Monitor the currency of the security      Interviewed FSO personnel regarding         No relevant exceptions were noted.\n      compliance with policies     policies checked by the IAR process to    their IAR process. Reviewed\n      and procedures.              accommodate new security policy           documentation prepared by FSO\n                                   requirements and technology changes.      personnel indicating incorporation of\n                                                                             security policy and technology changes\n                                                                             into the IAR process.\n\n                                   SRRs are accomplished as a part of the    Inspected 12 SRRs at the FSO to             No relevant exceptions were noted.\n                                   IA review and certification and           determine whether they were being\n                                   accreditation process. SRRs are           performed.\n                                   performed by FSO and the site\n                                   personnel.                                Interviewed SMC management to               At all four SMCs, SRRs performed by\n                                                                             determine whether the SRRs were being       site personnel were permitted to be\n                                                                             performed.                                  made exempt by the site SA, and the\n                                                                                                                         version of the SRR automated script\n                                                                                                                         program performed by that site did not\n                                                                                                                         match the SRR script program provided\n                                                                                                                         by FSO.\n\n                                   FSO provides weekly reports on            Inspected a sample of ten Information       No relevant exceptions were noted.\n                                   Information Assurance Vulnerabilities     Assurance Vulnerabilities Alerts reports\n                                   Alerts Category I and II to CS senior     issued by the FSO. Determined whether\n                                   management.                               these reports were issued on a weekly\n                                                                             basis.\n\n\n\n                                                                            29\n\x0cNo.   Control Objectives         Control Techniques                          Test of Operating Effectiveness             Results of Testing\n1.3   Corrective actions are     Corrective actions to findings noted        Interviewed the SMC IAMs and the FSO        No relevant exceptions were noted.\n      effectively implemented.   during the IAR are monitored through        personnel or staff regarding their\n                                 VMS by the IAM at the CS site and CS        monitoring of vulnerabilities as recorded\n                                 headquarters and by the certifying          in the VMS system.\n                                 authority.\n\n\n\nRisk Assessments\nNo.   Control Objectives         Control Techniques                          Test of Operating Effectiveness             Results of Testing\n2     Controls provide reasonable assurance that risks are periodically assessed and appropriate steps are taken to mitigate risks.\n\n2.1   Risk assessments are       Enterprise risk assessments are prepared    Interviewed FSO personnel and the CS        No relevant exceptions were noted.\n      performed according to     by CS based on the site risk assessment     IAM to identify their procedures for\n      current Federal and DoD    results.                                    preparing the enterprise-wide and site\n      requirements.                                                          risk assessments and to determine\n                                                                             whether risk assessments were\n                                                                             documented.\n\n                                 Risk assessments are performed annually     Inspected the annual risk assessments for   No relevant exceptions were noted.\n                                 in accordance with DoD                      compliance with DoD Instruction\n                                 Instruction 5200.40.                        5200.40.\n\n                                 In accordance with the DoD and DISA         Inspected a sample of four Federal          Two SMCs did not submit POA&Ms\n                                 guidance for Federal Information            Information Security Management Act         for all noncompliance with high-risk\n                                 Security Management Act reporting,          POA&M reports from the SMCs to              vulnerabilities. Findings pertaining to\n                                 Plans of Action and Milestones              determine whether all high-risk             self-assessments conducted by two\n                                 (POA&Ms) are prepared by CS sites for       vulnerabilities listed in VMS were          SMCs were not uploaded as POA&Ms\n                                 all noncompliant, high-risk                 included.                                   into the VMS.\n                                 vulnerabilities, and are updated\n                                 quarterly.\n\n\n\n\n                                                                            30\n\x0cSecurity Plans\nNo.   Control Objectives        Control Techniques                           Test of Operating Effectiveness             Results of Testing\n3     Controls provide reasonable assurance that site security plans are in place; prepared, documented, and approved in\n      accordance with Federal and DoD requirements; and current.\n\n3.1   Site security plans are   The security plan is documented by each      Obtained and inspected security plan        Of 17 DECCs tested, 1 DECC did not\n      documented.               CS site, addresses topics prescribed in      documentation from the DAA for 17           have a security plan.\n                                OMB Circular A-130 and is on file at the     DECCs for compliance with OMB\n                                DAA.                                         Circular A-130 and DoD Instruction\n                                                                             5200.40.\n\n3.2   Site security plans are   The security plan for all sites is signed    Inspected the security plans or the site    Of 17 DECCs tested, 1 DECC did not\n      approved.                 by the senior official at the CS site.       accreditation memos of 17 DECCs to          have a security plan.\n                                                                             determine whether they had been\n                                                                             approved.\n\n3.3   Site security plans are   As part of the System Security               Inspected the security plans for 17         Of 17 DECCs tested, 1 DECC did not\n      current.                  Authorization Agreement (SSAA), the          DECCs to determine whether they had         have a security plan. Security plans for\n                                security plan is reviewed annually by the    been reviewed annually by the CS            two DECCs had not been reviewed and\n                                CS operations chief and updated as           operations chief and updated as required.   updated by the CS operations chief.\n                                required.\n\n\n\nSecurity Management\nNo.   Control Objectives        Control Techniques                           Test of Operating Effectiveness             Results of Testing\n4     Controls provide reasonable assurance that a security management structure is established and security responsibilities are\n      clearly assigned.\n\n4.1   A security management     The \xe2\x80\x9cDISA Computing Services                 Inspected the DISA Computing Services       No relevant exceptions were noted.\n      structure has been        Enterprise Security \xe2\x80\x93 Roles and              Enterprise Security Roles and\n      established with CS.      Responsibilities Concept of Operations,\xe2\x80\x9d     Responsibilities Concept of Operations,\n                                version 1.1, dated March 20, 2006,           March 20, 2006, version 1.1, to\n\n\n\n                                                                            31\n\x0cNo.   Control Objectives             Control Techniques                            Test of Operating Effectiveness               Results of Testing\n                                     defines the responsibilities of security      determine whether the responsibilities of\n                                     officials at all levels in CS, to include     security officials for all levels at CS and\n                                     FSO.                                          FSO have been defined.\n\n4.2   Information security           The roles and responsibilities are            Inspected appointment orders for 100          Of 100 appointment orders tested,\n      responsibilities are clearly   outlined in the \xe2\x80\x9cDISA Computing               IAM, IAO, and SM positions at the             appointment orders for 16 IAM, IAO,\n      assigned.                      Services Enterprise Security \xe2\x80\x93 Roles and      SMCs and ISCs to assess the                   and SM positions were neither complete\n                                     Responsibilities Concept of Operations,\xe2\x80\x9d      appropriateness and definition of roles.      nor compliant with the requirements\n                                     version 1.1, dated March 20, 2006. The        Compared appointment orders to the            defined in the DISA Computing\n                                     IAM, IAO, and SM are assigned through         DISA Computing Services Enterprise            Services Enterprise Security Roles and\n                                     appointment orders.                           Security Roles and Responsibilities           Responsibilities Concept of Operations,\n                                                                                   Concept of Operations, March 20, 2006,        March 20, 2006, version 1.1. The\n                                                                                   version 1.1, for appropriateness and          exceptions were from two SMCs.\n                                                                                   completeness.\n\n4.3   DISA employees are aware       CS personnel are required to take initial     Inspected training records for a sample       For 25 of 167 personnel tested, IA\n      of security policies.          security awareness training before            of 167 CS personnel at the SMCs, ISCs,        training was not completed prior to\n                                     gaining access to any system and              and one headquarters element to               users being granted access to the system\n                                     required to take annual refresher security    determine whether the required training       or training records were not maintained.\n                                     awareness training. MPS manages the           was completed timely and whether              The exceptions were from one SMC\n                                     training and records the completion for       training records were maintained.             and one ISC.\n                                     all CS Headquarters personnel located\n                                     within the National Capitol Region. The\n                                     training completion is recorded and\n                                     maintained by the CS IAM or SM for all\n                                     other CS personnel.\n\n\n\nPersonnel\nNo.   Control Objectives             Control Techniques                            Test of Operating Effectiveness               Results of Testing\n5     Controls provide reasonable assurance that effective personnel policies have been implemented.\n\n5.1   Employee (government           Personnel security checks are performed       Inspected a sample of 102 security            No relevant exceptions were noted\n      and contractor)                to determine that a valid and current         background investigations for personnel\n      background investigations,     personnel security investigation has been     at the SMCs and ISCs to determine\n                                                                                  32\n\x0cNo.   Control Objectives            Control Techniques                            Test of Operating Effectiveness            Results of Testing\n      hiring, transferring, and     conducted for each person at the site         whether the investigations were valid\n      termination policies          based on the individual\xe2\x80\x99s duties and          and current.\n      address security and are in   tasks.\n      compliance with DoD\n      Instruction 8500.2.           The Security Handbook prescribes              Inspected the Security Handbook to         No relevant exceptions were noted.\n                                    guidelines addressing position sensitivity    determine whether position sensitivity\n                                    designations for military and civilian        designations for military and civilian\n                                    employees.                                    employees were included.\n\n                                    Termination requires debriefing and           Inspected a sample of 36 terminated        No relevant exceptions were noted.\n                                    revoking of all access. Termination           employees and contractors for the SMCs\n                                    debriefing (DISA Form 553) must be            and one ISC to determine whether the\n                                    signed and maintained by the site             employee\xe2\x80\x99s system access was revoked\n                                    security manager.                             and whether a signed debriefing (DISA\n                                                                                  Form 553) was on file.\n\n                                    Security requirements for contractors are     Inspected a sample of 45 contracts         No relevant exceptions were noted.\n                                    included in the contract requirements.        issued by the Defense Information\n                                                                                  Technology Contracting Organization to\n                                                                                  determine whether security requirements\n                                                                                  were included.\n\n                                    Personnel security compliance is              Interviewed the CS security manager at     No relevant exceptions were noted.\n                                    monitored by CS security managers.            three SMCs to determine whether\n                                                                                  personnel security compliance was\n                                                                                  monitored.\n\n5.2   Job descriptions for          All civilian positions have position          Inspected a sample of 22 personnel files   No relevant exceptions were noted.\n      government employees          descriptions.                                 at 4 SMCs and 2 ISCs for civilian\n      have been documented,                                                       positions to determine whether the\n      and employees understand                                                    position descriptions existed.\n      their duties and\n      responsibilities.             All contractor job requirements are           Inspected a sample of 45 contracts         No relevant exceptions were noted.\n                                    documented within the applicable              issued by the Defense Information\n                                    contract.                                     Technology Contracting Organization to\n\n\n\n                                                                                 33\n\x0cNo.   Control Objectives             Control Techniques                           Test of Operating Effectiveness              Results of Testing\n                                                                                  determine whether the documented\n                                                                                  contractor job requirements were\n                                                                                  included in the contracts.\n\n                                     Supervisors at all levels develop and        Inspected a sample of 36 employee            Of 36 employee performance plans\n                                     maintain a performance plan for each         performance plans at the SMCs and the        reviewed, 4 did not reflect the relevant\n                                     individual and ensure that the plan          ISC to determine whether the plans           position description. The exceptions\n                                     requires that the employee\xe2\x80\x99s performance     reflect the relevant position description.   were from one SMC and one ISC.\n                                     be based on the position description.\n\n                                     Supervisors have access to staff position    Interviewed supervisors of 25 sampled        No relevant exceptions were noted.\n                                     descriptions, and ensure that they           employees at 3 SMCs and 2 ISCs as to\n                                     correctly identify the task and functions    their awareness of the tasks and\n                                     of the position.                             functions required of the employees.\n                                                                                  Compared their answers to the relevant\n                                                                                  position description for appropriateness.\n\n                                     CS management ensures that job               Interviewed MPS and CS management            No relevant exceptions were noted.\n                                     descriptions and duties comply with          to determine whether they were in\n                                     DISA Instruction 220-15-55.                  compliance with DISA Instruction\n                                                                                  220-15-55.\n\n                                     Local written instructions may be            Inspected a sample of 4 local written        No relevant exceptions were noted.\n                                     followed for the performance of work.        standard operating procedures at three\n                                                                                  SMCs for reasonableness in providing\n                                                                                  guidance for the performance of work.\n\n5.3   Employees (government          SA certification requirements are            Interviewed FSO management regarding         No relevant exceptions were noted.\n      and contractor) are            established by DoD and DISA policies.        DoD and DISA policies used to establish\n      adequately trained and                                                      SA certification requirements.\n      possess the required skills.\n                                     SA certification requirements are tracked    Inspected SA certification                   Certification documentation for 25 of\n                                     by the FSO.                                  documentation tracked by the FSO for a       112 SAs tracked by the FSO was not\n                                                                                  sample of 112 SMC and ISC SAs to             complete. The 25 exceptions were from\n                                                                                  determine appropriateness and                2 SMCs.\n                                                                                  completeness of FSO data.\n\n                                                                                 34\n\x0cNo.   Control Objectives             Control Techniques                           Test of Operating Effectiveness              Results of Testing\n                                                                                  Interviewed FSO personnel and the            No relevant exceptions were noted.\n                                                                                  IAMs at the SMCs to determine whether\n                                                                                  SA privileges are reviewed annually.\n\n                                     Training requirements for IAMs and           Interviewed FSO and CS management            No relevant exceptions were noted.\n                                     users are established by DoD and DISA        regarding DoD and DISA policies used\n                                     policies.                                    to establish training requirements.\n\n                                                                                  Inspected relevant DoD and DISA              No relevant exceptions were noted.\n                                                                                  policies for appropriateness regarding\n                                                                                  training requirements.\n\n                                     Completion of the IAM and users              Interviewed FSO staff to determine the       No relevant exceptions were noted.\n                                     training is tracked by the FSO and           process for tracking SA certification\n                                     reviewed annually.                           requirements.\n\n5.4   Confidentiality or             A nondisclosure statement is a required      Inspected a sample of 51 nondisclosure       No relevant exceptions were noted.\n      nondisclosure agreements       performance element for all employees.       statements for personnel at the SMCs,\n      are documented for all CS                                                   ISCs, and one headquarters element to\n      employees.                                                                  determine whether they were signed by\n                                                                                  the employee.\n\n5.5   Incompatible duties have       The Security Handbook describes the          Inspected the CSD Operations Policy          No relevant exceptions were noted.\n      been identified and policies   segregation of duties of CS personnel.       Letter CSD 06-15 \xe2\x80\x9cSegregation of\n      implemented to segregate       DISA CS Operations Policy Letter 06-15       Duties\xe2\x80\x9d and Security Handbook\n      these duties.                  \xe2\x80\x9cSegregation of Duties\xe2\x80\x9d describes the        regarding the segregation of\n                                     segregation of duties of CS personnel not    incompatible duties.\n                                     outlined in the Security Handbook.\n\n                                     SLAs also describe the roles and             Inspected a sample of 45 SLAs at the         No relevant exceptions were noted.\n                                     responsibilities of CS in maintaining        BMC to determine whether they\n                                     customer platforms.                          describe the roles and responsibilities of\n                                                                                  CS for the maintenance of customer\n                                                                                  platforms.\n\n\n\n\n                                                                                 35\n\x0cResource Classification\nNo.   Control Objectives             Control Techniques                             Test of Operating Effectiveness          Results of Testing\n6     Controls provide reasonable assurance that information resources are classified according to their criticality and sensitivity.\n\n      Design Weakness:\n      CS did not have control procedures in place to ensure that information resources criticality and sensitivity were known and properly documented. Specifically,\n      control procedures are needed to ensure the following: (a) customers define the criticality and sensitivity within the SLAs, (b) customers define the data\n      disposition and data sharing process, and (c) customers sign the SLAs.\n\n6.1   Resource classifications       Data owners are responsible for defining       Inspected DITSCAP documentation for      Of 17 site DITSCAP packages tested, 3\n      and related criteria have      their information resources criticality in     17 DECCs to determine whether            did not define the criticality of\n      been established.              accordance with DoD Instruction 8500.2,        criticality of information resources     information resources.\n                                     and CS is responsible for documenting          established by data owners in\n                                     the criticality of the systems in the site     accordance with DoD Instruction 8500.2\n                                     SSAA, SLA, or VMS.                             was documented by CS in the site\xe2\x80\x99s\n                                                                                    SSAA, SLA, or VMS.\n\n6.2   DISA has classified all        In accordance with DoD Directive               Inspected a sample of 45 SLAs at the     Refer to item (a) of the design\n      DISA-owned assets              8500.1 and DoD Instruction 8500.2              BMC to determine whether the             weakness. None of the 45 SLAs tested\n      according to criticality and   system owners or customers establish the       documentation was completed in           had MAC levels documented for their\n      sensitivity.                   MAC level based on their assessment of         accordance with DoD Directive 8500.1     applications or systems.\n                                     the critical nature of their application or    and DoD Instruction 8500.2 and system\n                                     system.                                        owners or customers included the MAC\n                                                                                    level.\n\n                                     The site IAM has reviewed and accepted         Inspected the SSAA information           Two of the SMCs tested did not\n                                     the criticality of the DISA-owned              criticality for the SMCs for a DISA-     evidence the site IAM\xe2\x80\x99s review and\n                                     resources as defined by individual             owned resource to determine whether      acceptance of the criticality of DISA-\n                                     Authority to Operate or Interim                the site IAM has reviewed and accepted   owned resources.\n                                     Authority to Operate.                          the criticality of the DISA-owned\n                                                                                    resource.\n\n\n\n\n                                                                                   36\n\x0cNo.   Control Objectives             Control Techniques                          Test of Operating Effectiveness            Results of Testing\n6.3   Customers classify their       CS customers communicate MAC levels         Requested initial business proposals and   MAC levels were not documented in\n      applications in the business   to CS for their applications during the     interviewed DISA personnel to              initial business proposals according to\n      proposal or SLAs.              initial business proposal or in the SLA.    determine whether MAC levels were          DISA personnel.\n                                                                                 included in initial business proposals.\n\n                                                                                 Inspected a sample of 45 SLAs at the       Refer to item (a) of the design\n                                                                                 BMC to determine whether the MAC           weakness. None of the 45 SLAs and\n                                                                                 level was communicated to CS by the        corresponding business proposals tested\n                                                                                 CS customer.                               had MAC levels documented for their\n                                                                                                                            applications or systems.\n\n6.4   Data management and the        The support agreement portion of the        Interviewed CS personnel at the BMC        Refer to item (b) of the design\n      disposition and sharing of     SLAs defines the data disposition and       about the SLA process. Inspected a         weakness. None of the 45 SLAs tested\n      data requirements are          data sharing process.                       sample of 45 SLAs at the BMC to            had a defined data disposition and data\n      identified in the SLAs.                                                    determine whether the support              sharing process.\n                                                                                 agreement portion of the SLA defines\n                                                                                 the data disposition and data sharing\n                                                                                 process.\n\n                                     SLAs are current and available in the       Interviewed CS personnel at the BMC        Refer to item (c) of the design\n                                     Knowledge Management System.                about the SLA update and approval          weakness. None of the 45 SLAs tested\n                                                                                 process. Inspected a sample of 45 SLAs     had evidence of approval signatures.\n                                                                                 at the BMC to identify the date in which\n                                                                                 the SLA was updated and approved in\n                                                                                 accordance with CS policy.\n\n                                                                                 Observed the Knowledge Management          No relevant exceptions were noted.\n                                                                                 System to determine whether the SLA\n                                                                                 was available.\n\n\n\n\n                                                                                37\n\x0cNo.   Control Objectives        Control Techniques                           Test of Operating Effectiveness            Results of Testing\n                                If required by the customer,                 Inspected a sample of 45 SLAs at the       No relevant exceptions were noted.\n                                communications are secured by Type I         BMC to determine whether                   None of the 45 SLAs tested had\n                                or Type III cryptography devices.            cryptography requirements existed and if   cryptography requirements.\n                                                                             so, observed the physical existence of\n                                                                             the related Type I or Type III\n                                                                             cryptography hardware and software.\n\n                                All requirements (if applicable) for         For the 45 SLAs sampled in the previous    No relevant exceptions were noted.\n                                communications secured by Type I or          test, determined whether cryptography      None of the 45 SLAs tested had\n                                Type III cryptography devices are            devices (both Type I and Type III) at      cryptography requirements.\n                                documented in the applicable SLA.            each of the Oklahoma City and\n                                                                             Montgomery CCCs existed.\n\n6.5   CS has logical controls   If required by the customer where the        Inspected a sample of 45 SLAs at the       No relevant exceptions were noted.\n      over data files and       data or the transmission of data needs to    BMC to determine whether the SLA           None of the 45 SLAs tested had\n      software programs.        be protected, encryption tools such as       requires encryption tools. For those       encryption requirements.\n                                Virtual Private Network, Secure Socket       SLAs that required encryption tools,\n                                Layer, Secure Shell, and Public Key          observed the related hardware and\n                                Infrastructure are used in accordance        software devices to determine whether\n                                with DoD STIGs.                              the devices existed.\n\n6.6   CS correctly uses         All requirements (if applicable) for         Inspected a sample of 45 SLAs at the       No relevant exceptions were noted.\n      cryptographic tools.      encryption are documented in the             BMC to determine whether encryption        None of the 45 SLAs tested had\n                                applicable SLA.                              requirements, if applicable, are           encryption requirements.\n                                                                             documented in the applicable SLA.\n\n                                If required by the customer, DoD             Inspected a sample of 45 SLAs at the       No relevant exceptions were noted.\n                                encryption policy is applied in              BMC to determine whether the DoD           None of the 45 SLAs tested had\n                                accordance with Federal Information          encryption policy was applied in           encryption requirements.\n                                Processing Standards Publication 140-2.      accordance with Federal Information\n                                                                             Processing Standards Publication 140-2\n                                                                             when required by the customer.\n\n\n\n\n                                                                            38\n\x0cAccount Management\nNo.   Control Objectives          Control Techniques                            Test of Operating Effectiveness            Results of Testing\n7     Controls provide reasonable assurance that user account management procedures are implemented and effective.\n\n7.1   Authorized owners and       In accordance with DoD Instruction            Inspected the DD Form 2875 for a           No relevant exceptions were noted.\n      their access right are      8500.2 and appropriate DoD STIGs, the         sample of 107 privileged users at the\n      identified for DISA-owned   site IAM or IAO maintains a list of all       SMCs and ISCs, to determine whether\n      assets.                     approved privileged user accounts             the privileged users were approved.\n                                  created by CS SAs for operating\n                                  systems, networks, databases, and web\n                                  administrators.\n\n                                  Each privileged user identification issued    Inspected a sample of 107 privileged       No relevant exceptions were noted\n                                  is evidenced by a DD Form 2875,               users for the SMCs and ISCs to\n                                  System Access Authorization Request           determine whether a DD Form 2875 (or\n                                  (or its predecessor, DISA Form 41) or an      its predecessor, DISA Form 41) was\n                                  equivalent local form that has                maintained by the data owner, approved\n                                  incorporated all the requirements of the      by the user\xe2\x80\x99s supervisor or data owner\n                                  DD Form 2875. DD Form 2875 requires           and validated by the site security\n                                  approval from the user\xe2\x80\x99s supervisor and       manager.\n                                  validation of user personnel security\n                                  investigation based on access requested.\n\n                                  The DoD Instruction 8500.2, as                Inspected DoD Instruction 8500.2 and       No relevant exceptions were noted.\n                                  supplemented by CS Policy, details the        the Security Handbook to determine\n                                  process for granting access to system         whether a process for granting access to\n                                  resources.                                    system resources existed.\n\n7.2   IAOs or SAs periodically    Periodic revalidation of DISA-managed         Interviewed the IAM or IAO at the          No relevant exceptions were noted.\n      review authorization        systems, in accordance with applicable        SMCs and ISCs and identified how the\n      listings to determine       DoD STIGs and CS Policy, is conducted         annual privileged account review is\n      appropriateness.            annually by the local IAM or IAO to           performed.\n                                  identify privileged accounts and\n                                  privileged user accesses that are no\n\n\n\n                                                                               39\n\x0cNo.   Control Objectives        Control Techniques                        Test of Operating Effectiveness            Results of Testing\n                                longer needed. (Customer rental space\n                                                                          Inspected supporting documentation for     No relevant exceptions were noted.\n                                excluded.)\n                                                                          the annual privileged account reviews at\n                                                                          the SMCs and ISCs to determine\n                                                                          whether the annual reviews were\n                                                                          performed.\n\n7.3   Emergency and temporary   Emergency and temporary access            Interviewed CS personnel to determine      No relevant exceptions were noted.\n      access is controlled.     authorizations are:                       whether CS had established policies and\n                                                                          procedures for the creation and\n                                \xe2\x80\xa2   documented and maintained on file,\n                                                                          maintenance of emergency and\n                                \xe2\x80\xa2   approved by appropriate\n                                                                          temporary access to CS-owned or\n                                    management,\n                                                                          -administered systems.\n                                \xe2\x80\xa2   securely communicated to the IAM,\n                                    and\n                                                                          Interviewed CS personnel at the SMCs       No relevant exceptions were noted.\n                                \xe2\x80\xa2   terminated after a predetermined\n                                                                          to determine whether emergency\n                                    period on a case by case basis.\n                                                                          changes were made. For the two SMCs\n                                                                          that had emergency changes, a sample of\n                                                                          seven emergency and temporary user\n                                                                          access requests was inspected to\n                                                                          determine whether the authorizations\n                                                                          were:\n                                                                          \xe2\x80\xa2   documented and maintained on file,\n                                                                          \xe2\x80\xa2   approved by appropriate\n                                                                              management,\n                                                                          \xe2\x80\xa2   securely communicated to the IAM,\n                                                                              and\n                                                                          \xe2\x80\xa2   terminated after a predetermined\n                                                                              period on a case by case basis.\n\n\n\n\n                                                                         40\n\x0cPhysical Security\nNo.   Control Objectives          Control Techniques                           Test of Operating Effectiveness            Results of Testing\n8     Controls provide reasonable assurance that adequate physical controls have been implemented.\n\n8.1   Perimeter (Base Level)      Physical safeguard procedures include:       Observed the physical inner and outer      No relevant exceptions were noted.\n      physical controls have                                                   perimeters of the CS facility for 17\n                                  \xe2\x80\xa2   controlled access and controlled\n      been implemented.                                                        DECCs visited to determine whether:\n                                      perimeters for CS facilities located\n                                      on military or GSA installations;        \xe2\x80\xa2   individuals attempting to access the\n                                  \xe2\x80\xa2   verification of DoD identification,          CS facility are required to present\n                                      such as a Common Access Card or              valid DoD identification;\n                                      DISA badge;                              \xe2\x80\xa2   perimeter security is in place to\n                                  \xe2\x80\xa2   enclosed perimeter, by a fence that          control vehicle and pedestrian\n                                      controls vehicle and pedestrian              access;\n                                      access, for CS facilities not located    \xe2\x80\xa2   access to administrative areas is\n                                      on military or GSA installation;             controlled by a guard, mechanical\n                                  \xe2\x80\xa2   routine patrol and random door               cipher lock, or automated access\n                                      checks performed by the local                control system; and\n                                      military, DoD, or GSA guards in          \xe2\x80\xa2   routine patrol and random door\n                                      accordance with local base support           checks are performed by local\n                                      agreement, if required; and                  military, DoD, or GSA guards in\n                                  \xe2\x80\xa2   controlled access to the                     accordance with applicable base\n                                      administrative areas by guard,               support agreement(s).\n                                      mechanical cipher, or automated\n                                      access control system.\n8.2   Building, administration,   Computer facilities have at least two        Observed access to the computer facility   Of 17 DECCs tested, 4 did not use 2-\n      and computer facility       levels of physical security controls.        for 17 DECCs visited to determine          factor authentication to access the\n      physical controls have      Access to the computer facility requires     whether such access requires positive      computer facility.\n      been implemented.           positive identification of the employee      identification of the employee through\n                                  through the use of something they have       the use of something they have, for\n                                  (for example, proximity card or DoD          example, a proximity card or DoD\n                                  identification card) and something they      identification card; something they\n                                  know (for example, personal                  know, for example, a personal\n                                  identification number) or something they     identification number; or something they\n                                  are (for example, biometrics).               are, for example, biometrics.\n\n\n\n                                                                              41\n\x0cNo.   Control Objectives         Control Techniques                            Test of Operating Effectiveness              Results of Testing\n                                 Employees must wear their picture             Observed CS employees at 17 DECCs            No relevant exceptions were noted.\n                                 identification cards above the waist.         visited to determine whether picture\n                                                                               identification cards are worn above the\n                                                                               waist.\n\n                                 The area of the computer facility that        Observed computer facilities containing      No relevant exceptions were noted.\n                                 contains unclassified equipment or            the servers and related infrastructure for\n                                 information is in compliance with the         17 DECCs visited to determine whether\n                                 requirements outlined in DoD                  the security around the computer facility\n                                 Regulation 5200.8, for level C Restricted     was in compliance with DoD Regulation\n                                 Areas, by having:                             5200.8, for level C Restricted Areas, by\n                                 \xe2\x80\xa2 an electronic security system,              having:\n                                 \xe2\x80\xa2 entry and circulation control,              \xe2\x80\xa2 an electronic security system,\n                                 \xe2\x80\xa2 barriers, and                               \xe2\x80\xa2 entry and circulation control,\n                                 \xe2\x80\xa2 security patrols or a designated            \xe2\x80\xa2 barriers, and\n                                      response force.                          \xe2\x80\xa2 security patrols or a designated\n                                                                                    response force.\n8.3   Visitors are controlled.   All CS site SMs must maintain an              Inspected access authorization               Access authorization documentation\n                                 authorized access list to the CS facility.    documentation for a sample of 566            was not complete for 34 of 566\n                                                                               employees at the SMCs, ISCs, 7 PEs,          employees tested. The 34 employees\n                                                                               and DECC Pacific to determine whether        were from 2 of 15 DECCs tested.\n                                                                               computer facility access was appropriate.\n\n                                 Visitors who do not have the appropriate      Interviewed the site SM for 17 DECCs         No relevant exceptions were noted.\n                                 security investigation or clearance will      visited about the process for escorting\n                                 be escorted at all times while in the         visitors and the local site-specific badge\n                                 computing facility.                           color codes.\n\n                                                                               Observed visitors with badges that           No relevant exceptions were noted.\n                                                                               require escort to determine whether such\n                                                                               visitors were escorted at all times.\n\n                                 Visitors to the computing facilities that     Interviewed the local security officer and   No relevant exceptions were noted.\n                                 are not on the authorized access list must    security guard for 17 DECCs visited\n                                 be validated by the local security            about handling visitors not on the\n                                 manager, signed in and out of the             authorized access list.\n                                 facility, and escorted as required.\n                                                                              42\n\x0cNo.   Control Objectives           Control Techniques                              Test of Operating Effectiveness             Results of Testing\n                                                                                   Observed visitors to CS facilities to       No relevant exceptions were noted.\n                                                                                   determine whether the visitors were\n                                                                                   validated by the local security officer,\n                                                                                   signed in and out of the facility, and\n                                                                                   escorted as required.\n\n8.4   Traditional security         As part of the site certification and           Interviewed FSO personnel about the         No relevant exceptions were noted.\n      reviews are performed.       accreditation process, a periodic               system classification levels and how they\n                                   traditional security review is conducted        affect the traditional security review\n                                   by the certifying authority at least every      process and schedule.\n                                   3 years or more frequently based on the\n                                                                                   Inspected the traditional security review   No relevant exceptions were noted.\n                                   classification levels processed by the site.\n                                                                                   schedule provided by the FSO to\n                                                                                   determine whether the reviews were\n                                                                                   being performed in accordance with the\n                                                                                   system classification levels.\n                                                                                   Inspected DITSCAP documentation and         No relevant exceptions were noted.\n                                                                                   the traditional security review for 17\n                                                                                   DECCs to determine the date of the last\n                                                                                   traditional security review.\n\n\n\nLogical Access Controls\nNo.   Control Objectives           Control Techniques                              Test of Operating Effectiveness             Results of Testing\n9     Controls provide reasonable assurance that adequate logical access controls have been implemented.\n\n      Design Weakness:\n      CS does not have control procedures in place to ensure that adequate logical access controls have been implemented. Specifically, control procedures are\n      needed to ensure the following: (a) password configurations are in compliance with DoD STIGs and (b) all access paths have been identified and controls\n      implemented to prevent and detect access.\n\n\n\n\n                                                                                  43\n\x0c9.1   Passwords, tokens, or other    Password configuration requirements at       Inspected system-generated                  Refer to item (a) of the design\n      devices are used to identify   the system level will be in compliance       documentation for a sample of 48 UNIX,      weakness. For 7 of 54 Windows, 23 of\n      and authenticate users.        with appropriate DoD STIG.                   54 Windows, 20 mainframe, and 19            48 UNIX, 7 of 19 network devices, and\n                                                                                  network devices managed by the SMCs         3 of 20 mainframe computer systems\n                                                                                  and ISCs to determine whether the           tested, password configurations were\n                                                                                  password configuration settings are in      not set in accordance with the\n                                                                                  compliance with the appropriate DoD         appropriate DoD STIG.\n                                                                                  STIG.\n\n                                     Passwords are checked for compliance         Interviewed the IAM or SA at the SMCs       No relevant exceptions were noted.\n                                     with DoD STIG standards as part of the       to obtain an understanding of the process\n                                     DISA-approved scanning tool,                 for checking compliance with DoD\n                                     password- cracking utilities, or SRRs.       STIGs and for scheduling the annual\n                                     Servers are checked with the automated       reviews to accommodate customer\n                                     scripts on a periodic basis. Schedule for    production, system maintenance, and\n                                     annual reviews will be established           system update or upgrade requirements.\n                                     locally in order to accommodate\n                                     customer production, system                  Inspected supporting documentation for      No relevant exceptions were noted.\n                                     maintenance, and system update or            performing local SRRs.\n                                     upgrade requirements.\n\n                                     Vendor-supplied default logons and           Inspected system-generated                  No relevant exceptions were noted.\n                                     passwords are removed, changed, or           documentation for a sample of 48 UNIX,\n                                     disabled in accordance with appropriate      54 Windows, 20 mainframe, and 19\n                                     DoD STIG.                                    network devices managed by the SMCs\n                                                                                  and ISCs to determine whether the\n                                                                                  vendor-supplied default logons and\n                                                                                  passwords were removed, changed, or\n                                                                                  disabled in accordance with the\n                                                                                  appropriate DoD STIG.\n\n9.2   Equipment and media are        Sanitation of equipment and media prior      Interviewed CS operations staff at the      No relevant exceptions were noted.\n      sanitized prior to disposal    to disposal or reuse are performed in        SMCs to determine whether there was a\n      or reuse.                      accordance with DoD Regulation               process for compliance with DoD\n                                     5200.1-R, the Security Handbook, and         Regulation 5200 1-R and Security\n                                     the Assistant Secretary of Defense           Handbook Section 3.5.\n                                     (Command, Control, Communications,\n\n                                                                                 44\n\x0c                                   and Intelligence) Memorandum,\n                                                                               Reviewed logs at the SMCs for evidence     No relevant exceptions were noted.\n                                   \xe2\x80\x9cDisposition of Unclassified DoD\n                                                                               of proper sanitation procedures.\n                                   Computer Hard Drives,\xe2\x80\x9d dated June 4,\n                                   2001.\n\n9.3   All access paths have been   The operating system and                    Inspected system-generated                 Refer to item (b) of the design\n      identified and controls      communications software are configured      documentation for a sample of 48 UNIX,     weakness. For 67 of 141 computer\n      have been implemented to     to prevent circumvention of security        54 Windows, 20 mainframe, and 19           systems tested, operating system and\n      prevent or detect access.    software controls and unauthorized          network devices managed by the SMCs        communications software were not\n                                   access from all paths.                      and ISCs and, where available, other       configured in accordance with the\n                                                                               authorization (waiver) documentation to    appropriate STIGs to prevent\n                                                                               determine whether the operating system     circumvention of security.\n                                                                               and communications software are\n                                                                               configured to prevent circumvention of\n                                                                               security software controls and\n                                                                               unauthorized access from all paths.\n\n                                   Access paths are identified within the      Inspected the network diagram for the      No relevant exceptions were noted.\n                                   communications topography for each CS       CCCs to determine whether the diagram\n                                   site. The communication topography          shows connections from the wide-area\n                                   shows connections from the wide-area        network into the perimeter point of\n                                   network into the perimeter point of         presence down to the individual Internet\n                                   presence down to the individual Internet    Protocol addresses of all devices within\n                                   Protocol addresses of all devices within    the enclave.\n                                   the enclave.\n\n                                   System software is configured in            Inspected system-generated                 Refer to item (b) of the design\n                                   accordance with the DoD STIGs.              documentation for a sample of 48 UNIX,     weakness. For 67 of 141 computer\n                                                                               54 Windows, 20 mainframe, and 19           systems tested, systems software was\n                                                                               network devices managed by the SMCs        not configured in accordance with the\n                                                                               and ISCs and, where available, other       appropriate DoD STIGs and CS\n                                                                               authorization (waiver) documentation to    policies.\n                                                                               determine whether the systems software\n                                                                               was configured in accordance with DoD\n                                                                               STIGs and CS policies.\n\n\n\n\n                                                                              45\n\x0c                                  Access to data files, software programs,     Inspected system-generated                   Refer to item (b) of the design\n                                  and databases is controlled by the           documentation for a sample of 48 UNIX,       weakness. For 67 of 141 computer\n                                  configuration setting as described in        54 Windows, 20 mainframe, and 19             systems tested, systems software was\n                                  accordance with the DoD STIGs.               network devices managed by the SMCs          not configured in accordance with the\n                                                                               and ISCs and, where available, other         appropriate DoD STIGs.\n                                                                               authorization (waiver) documentation to\n                                                                               determine whether access to data files,\n                                                                               software programs, and databases is\n                                                                               controlled by the configuration setting as\n                                                                               describe in accordance with the DoD\n                                                                               STIGs.\n\n                                  Network diagrams are developed and           Inspected the network diagram for the        No relevant exceptions were noted.\n                                  maintained by the CCC to show potential      CCCs to determine whether the potential\n                                  access paths.                                access paths are indicated.\n\n\n\nNetworks and Telecommunications\nNo.    Control Objectives         Control Techniques                           Test of Operating Effectiveness              Results of Testing\n10     Controls provide reasonable assurance that networks and telecommunications are secure.\n\n10.1   Telecommunication          CCC sites will maintain a current            Inspected the network topology for the       No relevant exceptions were noted.\n       defense capabilities are   drawing of their network topology that       CCCs to determine whether all external\n       implemented.               includes all external and internal links,    and internal links, subnets, and network\n                                  subnets, and network equipment in            equipment in accordance with DoD\n                                  accordance with DoD STIGs.                   STIGs are included.\n\n                                  Dial-in telephone numbers are not            Interviewed the IAM or SM for the            No relevant exceptions were noted.\n                                  published and are periodically changed.      SMCs about the process to control dial-\n                                                                               in telephone numbers from being\n                                                                               published.\n\n                                  Telecommunications access is controlled      Interviewed network management staff         No relevant exceptions were noted.\n                                  by the managing CCC for the network          at the CCCs about their process to\n                                  devices, including firewall and network      manage the network devices. Inspected\n\n                                                                              46\n\x0cNo.    Control Objectives             Control Techniques                            Test of Operating Effectiveness              Results of Testing\n                                      IDSs, for all sites within the continental    the network topology at the CCCs to\n                                      United States for unclassified wide-area      determine whether the management of\n                                      networks. CCC personnel have access to        these network devices is restricted to the\n                                      those networks through the out-of-band        out-of-band private network.\n                                      virtual private network tunnel for all\n                                      networks so equipped.\n\n10.2   Network defense                Network access paths are configured to        Attempted to access the network              Networks at the SMCs were not\n       capabilities are               prevent circumvention of security and         internally and externally at the SMCs to     configured to prevent circumvention of\n       implemented.                   unauthorized access, in accordance with       determine whether access paths were          security and unauthorized access, in\n                                      DoD STIGs.                                    configured to prevent circumvention of       accordance with DoD STIGs\n                                                                                    security and unauthorized access, in\n                                                                                    accordance with DoD STIGs.\n\n                                      Networking equipment is configured in         Inspected system-generated                   Of 19 network devices tested, 7 were\n                                      accordance with DoD STIGs                     documentation for a sample of 19             not configured in accordance with DoD\n                                                                                    network devices managed by the SMCs          STIGs.\n                                                                                    and ISCs and, where available, system-\n                                                                                    generated documentation and other\n                                                                                    authorization (waiver) documentation to\n                                                                                    determine whether the devices were\n                                                                                    controlled by the configuration setting as\n                                                                                    promulgated by DoD STIGs.\n\n10.3   Remote and dial-up             Remote access is established in               Inspected user access agreements for a       Of 180 users tested, 35 did not have the\n       capabilities are controlled.   accordance with DoD STIGs.                    sample of 180 users at the 3 SMCs with       appropriate authorization for remote\n                                                                                    remote access privileges to determine        access. The 35 users were from 3\n                                                                                    whether:                                     SMCs.\n                                                                                    \xe2\x80\xa2   the signed agreement includes the\n                                                                                        type of access required by the user;\n                                                                                    \xe2\x80\xa2   the signed agreement includes the\n                                                                                        responsibilities, the liabilities, and\n                                                                                        security measures (for example,\n                                                                                        malicious code detection training)\n                                                                                        involved in the use of their remote\n\n\n\n                                                                                   47\n\x0cNo.    Control Objectives           Control Techniques                          Test of Operating Effectiveness            Results of Testing\n                                                                                    access device;\n                                                                                \xe2\x80\xa2 incident handling and reporting\n                                                                                    procedures are identified along with\n                                                                                    a designated point of contact;\n                                                                                \xe2\x80\xa2 the remote user can be held\n                                                                                    responsible for damage caused to a\n                                                                                    Government system or data through\n                                                                                    negligence or a willful act;\n                                                                                \xe2\x80\xa2 the policy contains general security\n                                                                                    requirements and practices and will\n                                                                                    be acknowledged and signed by the\n                                                                                    remote user;\n                                                                                \xe2\x80\xa2 Government-owned hardware and\n                                                                                    software will be used for official\n                                                                                    duties only; and\n                                                                                \xe2\x80\xa2 the user is the only individual\n                                                                                    authorized to use this equipment.\n\n                                                                                Inspected the authentication mechanism     The three SMCs tested did not use\n                                                                                for remote access for three SMCs to        2-factor authentication for remote\n                                                                                determine whether a 2-factor               access.\n                                                                                authentication method was in place.\n\n\nIncident Response\nNo.    Control Objectives           Control Techniques                          Test of Operating Effectiveness            Results of Testing\n11     Controls provide reasonable assurance that an effective incident response capability has been implemented.\n\n11.1   Incident response controls   The DISA Instruction 360-225-1              Inspected documentation for a sample of    Of 242 incidents at the SMCs and 2\n       are implemented at DISA.     provides guidance on handling incidents,    242 incidents at the SMCs and 2 ISCs to    ISCs tested, 51 incident reports were\n                                    incident reporting structure, and           determine whether the questionnaire was    not completed in accordance with DISA\n                                    prioritization of incidents that are        completed in accordance with DISA CS       CS Instruction 360-225-1.\n                                    consistent with attributes noted in DoD     Instruction 360-225-1. Specifically, the\n                                    Instruction 8500.2. Trouble                 following items from the Trouble\n                                    Management System tickets or e-mails        Management System questionnaire were\n\n                                                                               48\n\x0c                                      are used as incident response and            inspected.\n                                      reporting tools for CS. Specifically, the    \xe2\x80\xa2 What was the root cause of the\n                                      following items from the Trouble                 problem?\n                                      Management System questionnaire must         \xe2\x80\xa2 What troubleshooting efforts were\n                                      be completed.                                    conducted?\n                                      \xe2\x80\xa2 What was the root cause of the             \xe2\x80\xa2 Were redundant systems available\n                                           problem?                                    and working?\n                                      \xe2\x80\xa2 What troubleshooting efforts were          \xe2\x80\xa2 Was overall impact of the outage on\n                                           conducted?                                  the customer\xe2\x80\x99s mission confirmed?\n                                      \xe2\x80\xa2 Were redundant systems available           \xe2\x80\xa2 Were scheduled batch processing\n                                           and working?                                jobs delayed?\n                                      \xe2\x80\xa2 Confirm overall impact the outage          \xe2\x80\xa2    If the reporting site remotely\n                                           has on the customer mission.                managed the application or\n                                      \xe2\x80\xa2 Were scheduled batch processing                equipment that has the problem,\n                                           jobs delayed?                               was the physical location of the\n                                      \xe2\x80\xa2 If the reporting site remotely                 equipment and application\n                                           manages the application or                  provided?\n                                           equipment that has the problem,\n                                           provide physical location of the\n                                           equipment and application.\n\n\nAccess Monitoring\nNo.    Control Objectives             Control Techniques                           Test of Operating Effectiveness            Results of Testing\n12     Controls provide reasonable assurance that access is monitored, suspected security violations are investigated, and\n       appropriate remedial action is taken.\n\n       Design Weakness:\n       CS does not have control procedures in place to ensure that access is monitored, suspected security violations are investigated, and appropriate remedial action\n       is taken. Specifically, control procedures are needed to ensure that audit trails are being maintained and reviewed.\n\n12.1   Audit trails are maintained.   System auditing is enabled in accordance     Inspected system-generated                 Of the 141 systems tested, system\n                                      with DoD STIGs.                              documentation for a sample of 141          auditing was not enabled for 23 systems\n                                                                                   computer systems to determine whether      and system permission settings for\n\n\n\n                                                                                  49\n\x0cNo.    Control Objectives            Control Techniques                            Test of Operating Effectiveness             Results of Testing\n                                                                                   system auditing is enabled in accordance    auditing logs were not configured\n                                                                                   with DoD STIGs.                             correctly for 10 systems.\n\n                                     System auditing review is in accordance       Interviewed the SAs at the SMCs and         Refer to the design weakness. At two\n                                     with DoD STIGs.                               ISCs to determine whether system            SMCs and two ISCs, there was no\n                                                                                   auditing is reviewed in accordance with     periodic, scheduled review of audit\n                                                                                   DoD STIGs.                                  logs.\n\n                                     Auditing is conducted in accordance           Interviewed the SAs at the SMCs and         Refer to the design weakness. At two\n                                     with DoD STIGs.                               ISCs to determine whether system            SMCs and two ISCs, there was no\n                                                                                   auditing is conducted in accordance with    periodic, scheduled auditing conducted.\n                                                                                   DoD STIGs.\n\n12.2   Actual or attempted           Network intrusion detection systems           Interviewed CCC staff and inspected the     No relevant exceptions were noted.\n       unauthorized, unusual, or     used to monitor unusual or inappropriate      CCC network diagram to determine\n       sensitive network access is   activity are installed in accordance with     whether an external network intrusion\n       monitored.                    the DoD STIGs.                                detection system is installed and\n                                                                                   implemented and whether all external\n                                                                                   connections are monitored.\n\n                                                                                   Interviewed CCC staff and inspected the     No relevant exceptions were noted.\n                                                                                   CCC network diagram to determine\n                                                                                   whether an internal network intrusion\n                                                                                   detection system (IDS) is installed and\n                                                                                   implemented and whether all internal\n                                                                                   connections are monitored.\n\n                                     Procedures are in place for monitoring,       Interviewed the IAM, IAO, or SM at the      No relevant exceptions were noted.\n                                     investigating, and reporting inappropriate    CCCs to gain an understanding of the\n                                     or unusual activity. The DoD STIG             process followed when monitoring,\n                                     outlines what activity constitutes            investigating, and reporting\n                                     inappropriate or unusual activities.          inappropriate or unusual system activity.\n\n                                                                                   Inspected the site\xe2\x80\x99s network monitoring     No relevant exceptions were noted.\n                                                                                   policy at the CCCs to determine whether\n                                                                                   the policy was in accordance with DoD\n                                                                                   STIGs and whether the policy identified\n                                                                                  50\n\x0cNo.    Control Objectives             Control Techniques                            Test of Operating Effectiveness             Results of Testing\n                                                                                    thresholds for an inappropriate or\n                                                                                    unusual event.\n\n12.3   Suspicious network access      Suspicious access activity is investigated    Interviewed CCC staff to determine          No relevant exceptions were noted.\n       activity is investigated and   and appropriate action taken in               whether suspicious network activity is\n       appropriate action is taken.   accordance with DISA Instruction              investigated and appropriate action\n                                      360-225-1 and CS Policy Letter                taken.\n                                      CSD 06-02.\n\n\n\nChange Control\nNo.    Control Objectives             Control Techniques                            Test of Operating Effectiveness             Results of Testing\n\n13     Controls provide reasonable assurance that changes to DISA-owned assets are properly controlled.\n\n13.1   DISA-initiated software or     For customer-requested changes: In            Inspected documentation for a sample of     Of 175 change requests, 3 were not\n       hardware modifications are     accordance with CS Change and                 175 change requests at the SMCs and         approved by a supervisor or the local\n       authorized, and the            Configuration Concept of Operations,          two ISCs to determine whether changes       Change Control Board. The exceptions\n       documentation is               proposed changes to hardware, operating       are reviewed and approved in                were from 1 SMC and 1 ISC\n       maintained.                    system, utility software,                     accordance with the CS Change and\n                                      communications, and networks are              Configuration Concept of Operations,\n                                      reviewed and approved. Local Change           local Change Control Boards are in place\n                                      Control Boards are in place at each of the    at the SMCs and ISCs, and the IAM is a\n                                      SMCs and two ISCs to oversee the              voting member of the Change Control\n                                      change review and approval process.           Board.\n                                      The site IAM is a voting member of the\n                                      local Change Control Boards.\n\n                                      Verification and acceptance of operating      Interviewed change management staff at      No relevant exceptions were noted.\n                                      systems and utility software changes is       the SMCs to determine the various\n                                      documented and approved, and operating        change management roles and\n                                      systems and utility software movements        responsibilities, including the Board and\n                                      are controlled. The Executive Software        Software Factory.\n                                      Change Control Board (the Board)\n\n\n\n                                                                                   51\n\x0cNo.    Control Objectives           Control Techniques                         Test of Operating Effectiveness            Results of Testing\n                                    provides this control for operating\n                                                                               Inspected the Board operating procedure    No relevant exceptions were noted.\n                                    systems and utility software DISA wide.\n                                                                               document outlining the role of the Board\n                                    Local change management controls the\n                                                                               to determine whether the Board controls\n                                    implementation of operating systems and\n                                                                               the utility and operating system changes\n                                    executive software changes at the SMC\n                                                                               for four sites.\n                                    and ISC level. All Board actions are\n                                    documented and approved. Minutes of\n                                                                               Inspected evidence to determine whether    No relevant exceptions were noted.\n                                    each Board meeting are published, and\n                                                                               all Board actions are documented and\n                                    all documentation is maintained\n                                                                               approved, and whether the minutes of\n                                    indefinitely and is available online or\n                                                                               Board meetings are available.\n                                    upon request. The actual movement of\n                                    IBM mainframe software is tightly\n                                                                               Inspected the System Software Office       No relevant exceptions were noted.\n                                    controlled by the Board and Software\n                                                                               product procedure installation guide for\n                                    Factory interface. All software\n                                                                               the mainframe systems at one site to\n                                    distributed by the Software Factory is\n                                                                               determine whether all software\n                                    tracked, notifications are provided to\n                                                                               distributed by the Software Factory is\n                                    appropriate organizations, and a\n                                                                               tracked, notifications are provided to\n                                    complete audit trail is retained.\n                                                                               appropriate organizations, and a\n                                                                               complete audit trail is retained.\n\n13.2   New and modified             New systems and changes to existing        Inspected documentation for a sample of    No relevant exceptions were noted.\n       hardware and operating       systems are reviewed by an approving       128 change requests for new and\n       system or utility software   authority prior to connection to the       existing systems at the SMCs to\n       is tested and controlled     network in accordance with CS Policy       determine whether changes are reviewed\n       according to specific        Letter CSD 05-09.                          by an approving authority prior to\n       criteria.                                                               connection to the network.\n\n                                    Changes to hardware and operating          Inspected a sample of 74 Change            No relevant exceptions were noted.\n                                    systems software are documented in the     Control Board meeting minutes for three\n                                    minutes of the Change Control Board.       SMCs and one ISC where the control is\n                                                                               applicable to determine whether\n                                                                               hardware and operating systems\n                                                                               software changes are documented.\n\n                                    As part of the SSOPAC process for IBM      Interviewed System Software Office         No relevant exceptions were noted.\n                                    mainframe operating system software        management personnel for the IBM\n\n                                                                              52\n\x0cNo.    Control Objectives      Control Techniques                         Test of Operating Effectiveness           Results of Testing\n                               releases:                                  mainframes based at DECC\n                                                                          Mechanicsburg to determine the process\n                               \xe2\x80\xa2   integration testing is performed to\n                                                                          for performing integration tasking,\n                                   ensure functionality;\n                                                                          performance and stress testing, and\n                               \xe2\x80\xa2   performance and stress testing is\n                                                                          security testing on IBM mainframe\n                                   performed, as required, to identify\n                                                                          operating system releases.\n                                   impacts on system performance; and\n                               \xe2\x80\xa2   security testing is performed for\n                                   each operating system software\n                                   release. Based upon test results,\n                                   actions are initiated to rectify\n                                   identified software deficiencies,\n                                   performance impacts, and security\n                                   problems.\n\n13.3   Emergency changes are   Emergency change procedures are            Inspected the CS Change and               No relevant exceptions were noted.\n       promptly approved.      documented in the CS Change and            Configuration Management Plan to\n                               Configuration Management Plan.             determine whether emergency change\n                                                                          procedures are defined and documented.\n\n                                                                          Inspected documentation for a sample of   Of 96 emergency changes tested, 2\n                                                                          96 emergency changes at 3 SMCs and 1      changes at 1 SMC were not approved\n                                                                          ISC to determine whether:                 by management.\n                                                                          \xe2\x80\xa2   the emergency changes were\n                                                                              recorded and approved by\n                                                                              management; and\n                                                                          \xe2\x80\xa2   normal change request forms and\n                                                                              related documentation were\n                                                                              completed after the emergency\n                                                                              change occurred.\n\n                                                                          Inspected documentation for a sample of   For eight emergency changes at one\n                                                                          78 emergency changes at 3 SMCs to         SMC, no independent review was\n                                                                          determine whether an independent          documented.\n                                                                          review of each change was performed.\n\n\n\n                                                                         53\n\x0c No.     Control Objectives            Control Techniques                           Test of Operating Effectiveness               Results of Testing\n\n 13.4    Movement of programs          Mainframe Executive Software products        Inspected system documentation from           No relevant exceptions were noted.\n         and data among libraries is   are recorded and tracked. Inventories are    the Mechanicsburg Software Factory for\n         controlled.                   maintained, which include version,           mainframe systems to determine whether\n                                       maintenance level, out-of-support date,      mainframe executive software programs\n                                       and documentation.                           are recorded and tracked, and an\n                                                                                    inventory is maintained that includes the\n                                                                                    version, maintenance level, out-of-\n                                                                                    support date, and related documentation.\n\n 13.5    Use of public domain and      Use of personal and public domain            Inspected the contents of 56 employees\xe2\x80\x99       Of 56 sampled computers, 35\n         personal software is          software on Government equipment is in       computers at the SMCs and ISCs to             computers at the 4 SMCs and 2 ISCs\n         restricted.                   accordance with DoD Directive 8500.1         determine whether the computers               contained unapproved, public domain\n                                       and CS Operations policy.                    contained public domain and personal          or personal software.\n                                                                                    software not approved in accordance\n                                                                                    with DoD Directive 8500.1 and CS\n                                                                                    Operations policy.\n\n\n\nService Continuity\nNo.     Control Objectives              Control Techniques                              Test of Operating Effectiveness            Results of Testing\n14      Controls provide reasonable assurance that procedures and controls are in place to prevent or minimize unexpected\n        interruptions.\n\n14.1    Data and program backup         Each site has implemented its own off-          Interviewed computer center operations     No relevant exceptions were noted.\n        procedures have been            site and transportation agreements in           staff at the SMCs and ISCs to determine\n        implemented.                    accordance with SLA requirements.               their off-site and transportation\n                                                                                        requirements for backup media.\n\n                                                                                        Inspected the off-site transportation      No relevant exceptions were noted.\n                                                                                        agreement for the SMCs and ISCs to\n                                                                                        determine whether backup media is\n                                                                                        transported to the off-site location in\n                                                                                        accordance with SLA requirements.\n\n\n                                                                                   54\n\x0cNo.   Control Objectives   Control Techniques                        Test of Operating Effectiveness            Results of Testing\n                           Data and program backup procedures are    Inspected the off-site transportation      No relevant exceptions were noted.\n                           conducted in accordance with the          agreement for the SMCs and ISCs to\n                           appropriate DoD STIGs, SLA                determine whether the agreement\n                           requirements, and CS Policy Letter 06-    included the following:\n                           01.\n                                                                     \xe2\x80\xa2   a schedule for the weekly full data\n                                                                         backup;\n                                                                     \xe2\x80\xa2   a schedule for an incremental daily\n                                                                         backup;\n                                                                     \xe2\x80\xa2   a schedule for monthly full system\n                                                                         backup;\n                                                                     \xe2\x80\xa2   detailed backup procedures;\n                                                                     \xe2\x80\xa2   a plan for rotating backup media;\n                                                                     \xe2\x80\xa2   detailed restoration procedures;\n                                                                     \xe2\x80\xa2   customer requirements, a copy of a\n                                                                         memorandum of agreement, and a\n                                                                         copy of any SLA;\n                                                                     \xe2\x80\xa2   storage and retention procedures for\n                                                                         backup media;\n                                                                     \xe2\x80\xa2   schedule and methodology for\n                                                                         testing restoration procedures;\n                                                                     \xe2\x80\xa2   procedures for maintaining a\n                                                                         historical file for the \xe2\x80\x9croot\xe2\x80\x9d\n                                                                         password in a controlled access\n                                                                         environment; and\n                                                                     \xe2\x80\xa2   backup procedures that are tested at\n                                                                         least annually.\n                                                                     Interviewed staff and inspected            No relevant exceptions were noted.\n                                                                     documentation for the SMCs and ISCs\n                                                                     to determine whether data and program\n                                                                     backup procedures are in compliance\n                                                                     with DoD STIGs, SLA requirements,\n                                                                     and CS Policy Letter 06-01.\n\n\n\n\n                                                                55\n\x0cNo.    Control Objectives            Control Techniques                              Test of Operating Effectiveness          Results of Testing\n14.2   Environmental controls have   Computing facilities and support areas          Interviewed data center personnel and    At one DECC, no agreement could be\n       been implemented.             have automatic notification of activation       inspected the data center for the 17     located to demonstrate firefighting\n                                     of smoke detectors that alarm locally and       DECCs to determine whether the           support provided by the base.\n                                     at supporting fire department.                  following environmental controls were\n                                                                                     in place:                                At two DECCs, a copy of the last fire\n                                     Some administration areas have                                                           marshal inspection was not available.\n                                                                                     \xe2\x80\xa2   fire detection, prevention, and\n                                     automatic notification of activation of\n                                                                                         suppression mechanisms;\n                                     smoke detectors. Some of these only                                                      At one DECC, the fire department is not\n                                                                                     \xe2\x80\xa2   air conditioning, temperature, and\n                                     alarm locally; some alarm locally and at                                                 automatically notified in case of fire.\n                                                                                         humidity control systems;\n                                     the supporting fire department.\n                                                                                     \xe2\x80\xa2   uninterrupted power supplies,\n                                                                                         voltage regulators, and backup\n                                     Fire inspections are made based on local\n                                                                                         generators.\n                                     site rules.\n\n                                     Computing facilities and support areas\n                                     have automatic activation of fire\n                                     suppression systems.\n\n                                     Administration areas have either\n                                     automatic activation of fire suppression\n                                     systems or hand-held extinguishers\n                                     located throughout the area.\n\n                                     All computer facilities have:                   Interviewed data center personnel and    One DECC did not have humidity\n                                                                                     inspected the data center for the 17     control devices installed.\n                                     \xe2\x80\xa2   automatic humidity and temperature\n                                                                                     DECCs to determine whether the\n                                         controls systems that alarm when\n                                                                                     following environmental controls were\n                                         established humidity and\n                                                                                     in place:\n                                         temperature conditions are\n                                         exceeded;                                   \xe2\x80\xa2 automatic humidity and temperature\n                                     \xe2\x80\xa2   a master power switch located at or              controls systems that alarm,\n                                         near the main entrance, which is            \xe2\x80\xa2 a master power switch located at or\n                                         labeled and protected by a cover to              near the main entrance,\n                                         prevent accidental shut-off;                \xe2\x80\xa2 automatic voltage control systems,\n                                     \xe2\x80\xa2   automatic voltage control systems           \xe2\x80\xa2 a minimum of two electrical feeds,\n                                         that alarm if the voltage fluctuates        \xe2\x80\xa2 battery powered uninterrupted\n                                         beyond established safe operating                power system, and\n\n                                                                                56\n\x0cNo.    Control Objectives     Control Techniques                          Test of Operating Effectiveness            Results of Testing\n                                 levels;                                  \xe2\x80\xa2 backup generators that are set to\n                              \xe2\x80\xa2 a minimum of two electrical feeds;            automatically start.\n                              \xe2\x80\xa2 battery-powered, uninterrupted\n                                 power system to provide sufficient\n                                 power to all systems in the computer\n                                 room to allow for at least 20 minutes\n                                 of operations; and\n                                 backup generators that are set to\n                                 automatically start and generate\n                                 power when commercial power\n                                 fails. The generators are tested\n                                 monthly for operations and power\n                                 generations. Additional fuel and\n                                 spare parts are on hand to provide\n                                 for sustained operations.\n\n14.3   Hardware maintenance   Routine periodic preventive maintenance     Interviewed computer operations staff      At one ISC, testing of the water sensors\n       controls have been     on facilities equipment is scheduled and    for the SMCs and ISCs to determine the     was not conducted to determine if the\n       implemented.           performed in accordance with vendor         process for scheduling preventive          sensors are operable.\n                              specifications and in a manner that         maintenance on facilities equipment and\n                              minimizes the impact on operations.         tracking completion of scheduled\n                                                                          maintenance.\n\n                              Records are maintained on the actual        Interviewed operations and facility        No relevant exceptions were noted.\n                              performance in meeting facilities           management to determine the process\n                              equipment service schedules.                for scheduling, monitoring, and tracking\n                                                                          completion of maintenance on facilities\n                                                                          equipment.\n\n                              Policies and procedures for IT equipment    Inspected the IT equipment maintenance     No relevant exceptions were noted.\n                              maintenance exist and are up-to-date.       policies and procedures at CS Logistics\n                                                                          to determine whether the policies and\n                                                                          procedures exist and are up-to-date.\n\n\n\n\n                                                                     57\n\x0cNo.   Control Objectives   Control Techniques                             Test of Operating Effectiveness            Results of Testing\n                           Routine periodic preventive maintenance        Interviewed computer operations staff at   No relevant exceptions were noted.\n                           on IT equipment is scheduled and               the SMCs and ISCs to determine the\n                           performed in accordance with vendor            process for scheduling, monitoring, and\n                           specifications and in a manner that            tracking completion of maintenance on\n                           minimizes the impact on operations or as       IT equipment.\n                           provided for in the maintenance contract.\n                                                                          Inspected 255 IT equipment                 No relevant exceptions were noted.\n                                                                          maintenance tickets at the SMCs and 1\n                                                                          ISC to determine whether scheduled\n                                                                          maintenance is completed.\n\n                           Regular and unscheduled maintenance            Interviewed computer operations staff      No relevant exceptions were noted.\n                           on IT equipment is performed and               for the SMCs and ISCs to determine the\n                           documented.                                    process for scheduling maintenance on\n                                                                          IT equipment and documenting\n                                                                          completion of scheduled maintenance.\n\n                           Flexibility exists in the data processing      Interviewed computer operations staff      No relevant exceptions were noted.\n                           operations to accommodate regular and a        for the SMCs and ISCs on their process\n                           reasonable amount of unscheduled               for determining flexibility in the data\n                           maintenance.                                   processing operations to accommodate a\n                                                                          regular and reasonable amount of\n                                                                          unscheduled maintenance.\n\n                           Spare or backup hardware is used to            Interviewed computer operations staff      No relevant exceptions were noted.\n                           provide a high level of system                 for the SMCs and ISCs to determine\n                           availability for critical and sensitive        whether spare or backup hardware\n                           applications.                                  inventory existed.\n\n                           Goals are established by senior                Interviewed site management at CSD         No relevant exceptions were noted.\n                           management on the availability of data         Headquarters and CDS Operations to\n                           processing and on-line services.               determine whether availability goals are\n                                                                          established and documented for data\n                                                                          processing and on-line services.\n\n\n\n                                                                     58\n\x0cNo.    Control Objectives           Control Techniques                            Test of Operating Effectiveness            Results of Testing\n                                    Records are maintained on the actual          Interviewed operations management to       No relevant exceptions were noted.\n                                    performance in meeting IT equipment           determine the process for scheduling,\n                                    service schedules.                            monitoring, and tracking completion of\n                                                                                  scheduled maintenance on IT equipment.\n\n                                    Regular and unscheduled maintenance           Interviewed computer operations staff      No relevant exceptions were noted.\n                                    on facilities equipment is performed and      for the SMCs and ISCs to determine the\n                                    documented.                                   process for scheduling, monitoring, and\n                                                                                  tracking completion of maintenance on\n                                                                                  facilities equipment, preventive\n                                                                                  maintenance procedures and schedule.\n\n14.4   Staff have been trained to   Data center staff receive periodic training   Inspected training documentation for       Formal emergency response training\n       respond to emergencies.      in emergency fire, flooding, and alarm        105 employees at 3 SMCs and the ISCs       has not been conducted on a regular\n                                    incident procedures.                          to determine whether the employees had     basis. Of 105 employee records\n                                                                                  received training in emergency fire,       reviewed, 29 at 2 ISCs did not complete\n                                                                                  flooding, and alarm incident procedures.   the training.\n\n                                    Data center employees have received           Inspected training documentation for       Of 105 employees, 29 at 2 ISCs did not\n                                    training and understand their emergency       105 employees at 3 SMCs and the ISCs       complete formal training on their\n                                    roles and responsibilities.                   to determine whether they had received     emergency roles and responsibilities.\n                                                                                  training in emergency roles and\n                                                                                  responsibilities.\n\n                                    Emergency procedures are periodically         Inspected emergency plan and test          No relevant exceptions were noted.\n                                    tested.                                       documentation for the SMCs and ISCs\n                                                                                  to determine whether the test was\n                                                                                  performed annually and whether the\n                                                                                  results were documented.\n\n                                    Emergency response procedures are             Inspected emergency response               No relevant exceptions were noted.\n                                    documented.                                   procedures for the SMCs and ISCs to\n                                                                                  determine whether they were\n                                                                                  documented.\n\n\n\n\n                                                                             59\n\x0c\x0cSection IV: Supplemental Information Provided by DISA\n\n\n\n\n                         61\n\x0c\x0cThe DISA 2005 Statement on Auditing Standards No. 70 project included some\nconditions pertaining to security systems and procedures that are beyond the purview of\nCS. The following is a summary of those issues that continue to require support from\nexternal sources and were identified prior to inception of the 2006 project.\n\n2005 Results of Testing Requiring DoD or DISA Enterprise Solutions\n\nAudit Trails. The DoD Office of Inspector General recommended that the CS Director\nimplement more consistent procedures across the enterprise to create, monitor and\nreview, protect, and maintain CS system audit trails in order to comply with the\nrequirements of DoD Instruction 8500.2 and STIGs. In addition, it was recommended\nthat CS implement and configure software audit capabilities such that security personnel\ncould extract critical events from system data on a daily basis; conduct in-depth, daily\nreviews of all audit trails for suspicious activity; and investigate security incidents with\nautomated access to all audit data.\n\n        Status: DISA does not currently have the automated tools required to meet these\nobjectives. Implementation of the appropriate programs is pending implementation\nresources and technical recommendations from the DISA FSO.\n\nHost-Based Intrusion Detection Systems. It was recommended that the CS Director\ndeploy host-based intrusion detection systems software on all major application servers,\nnetwork management assets, and domain name servers, in accordance with DoD\nInstruction 8500.2 and the STIGs.\n\n        Status: DoD has awarded a contract for an enterprise-wide, host-based security\nsolution. CS is awaiting implementation of the DoD-wide, host-based security solution.\n\n2006 Results of Testing Requiring DoD or DISA Enterprise Solutions\n\nVulnerability Management System (VMS). The 2006 Statement on Auditing\nStandards No. 70 project included results of testing that indicated noncompliance with\nDoD STIGs and POA&Ms. It is significant to note that the tool used to track\nvulnerabilities (VMS 6.0), originally scheduled to be implemented in December 2005,\nwas delayed until May 2006, in the middle of the diagnostic testing phase of the audit.\nBecause all CS controls and control techniques were developed and implemented based\non an operational VMS 6.0, several gaps were observed in POA&M documentation (a\nnew requirement for VMS 6.0) that support actions and mitigations for identified\nvulnerabilities. In short, the majority of POA&M findings in this area are attributable to\nthe VMS upgrade from 5.4 to 6.0 and do not indicate a lack of CS enforcement of the\nDoD STIGs and CS policy regarding POA&Ms.\n\n\n\n\n                                             63\n\x0c\x0cScope\nDefense Enterprise Computing Centers in Scope of This Report\n\n  Systems Management Centers\n    Mechanicsburg, Pennsylvania\n    Montgomery, Alabama\n    Ogden, Utah\n    Oklahoma City, Oklahoma\n\n  Infrastructure Services Centers\n     Columbus, Ohio\n     San Antonio, Texas\n     St. Louis, Missouri\n\n  Processing Elements\n     Chambersburg, Pennsylvania\n     Dayton, Ohio\n     Denver, Colorado\n     Huntsville, Alabama\n     Jacksonville, Florida\n     Norfolk, Virginia\n     Rock Island, Illinois\n     San Diego, California\n     Warner Robins, Georgia\n\n  Pacific, Pearl Harbor, Hawaii\n\n\n\n\n                                      65\n\x0c\x0cAcronyms and Abbreviations\nBMC       Business Management Center\nCCC       Communications Control Center\nCIO       Chief Information Officer\nCS        Center for Computing Services\nDAA       Designated Approving Authority\nDECC      Defense Enterprise Computing Center\nDISA      Defense Information System Agency\nDITSCAP   Defense Information Technology Certification and Accreditation Process\nDoD       Department of Defense\nFSO       Field Security Operations\nGIG       Global Information Grid\nGSA       General Services Administration\nIA        Information Assurance\nIAM       Information Assurance Manager\nIAO       Information Assurance Officer\nIAR       Information Assurance Review\nIDS       Intrusion Detection System\nISC       Infrastructure Services Center\nIT        Information Technology\nMAC       Mission Assurance Category\nMPS       Manpower, Personnel, and Security\nOMB       Office of Management and Budget\nPE        Processing Element\nPOA&M     Plan of Action and Milestones\nSA        System Administrator\nSLA       Service-Level Agreement\nSM        Security Manager\nSMC       System Management Center\nSRR       Security Readiness Review\nSSAA      System Security Authorization Agreement\nSSO       System Support Office\nSTIG      Security Technical Implementation Guide\nVMS       Vulnerability Management System\n\n\n\n\n                                      67\n\x0c\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDirector, Program Analysis and Evaluation\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Commands\nCommander, U.S. Joint Forces Command\n  Inspector General, U.S. Joint Forces Command\nCommander, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\nGovernment Accountability Office\n\n\n\n\n                                          69\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Finance, and Accountability,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\n\n\n\n\n                                        70\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service, in conjunction with contract auditors from\nErnst & Young LLP, prepared this report. Personnel of the Department of\nDefense Office of Inspector General who contributed to the report are listed\nbelow.\n\nPaul J. Granetto\nPatricia A. Marsh\nPatricia C. Remington\nSuzette L. Luecke\nAnh Tran\nMichael L. Davitt\nChi H. Lam\nChanda D. Lee-Baynard\nDanial Olberding\nErnest Fine\nMinh Tran\nWen-Tswan Chen\nChristopher Bitakis\n\x0c'